From 57a7f09f04f26c7749d1b0529afa633ad55b980a Mon Sep 17 00:00:00 2001 From: Derek Nola Date: Mon, 20 Nov 2023 11:59:02 -0800 Subject: [PATCH 1/3] Migrate caution -> warning for admonitions Signed-off-by: Derek Nola --- docs/cli/certificate.md | 6 +++--- docs/cli/secrets-encrypt.md | 2 +- docs/cli/token.md | 2 +- docs/datastore/backup-restore.md | 2 +- docs/datastore/datastore.md | 2 +- docs/datastore/ha-embedded.md | 2 +- docs/installation/network-options.md | 12 ++++++------ docs/installation/requirements.md | 2 +- docs/installation/uninstall.md | 2 +- docs/release-notes/v1.24.X.md | 4 ++-- docs/release-notes/v1.25.X.md | 2 +- docs/release-notes/v1.26.X.md | 2 +- docs/release-notes/v1.27.X.md | 2 +- docs/release-notes/v1.28.X.md | 2 +- docs/storage/storage.md | 2 +- .../current/cli/certificate.md | 6 +++--- .../current/cli/secrets-encrypt.md | 2 +- .../current/cli/token.md | 2 +- .../current/datastore/backup-restore.md | 2 +- .../current/datastore/ha-embedded.md | 2 +- .../current/installation/network-options.md | 8 ++++---- .../current/installation/uninstall.md | 2 +- .../current/storage/storage.md | 2 +- .../current/cli/certificate.md | 6 +++--- .../current/cli/secrets-encrypt.md | 2 +- .../current/cli/token.md | 2 +- .../current/datastore/backup-restore.md | 2 +- .../current/datastore/cluster-loadbalancer.md | 2 +- .../current/datastore/datastore.md | 2 +- .../current/datastore/ha-embedded.md | 2 +- .../current/installation/network-options.md | 10 +++++----- .../current/installation/packaged-components.md | 2 +- .../current/installation/requirements.md | 2 +- .../current/installation/uninstall.md | 2 +- .../current/networking/networking.md | 4 ++-- .../current/storage/storage.md | 2 +- .../current/upgrades/automated.md | 2 +- scripts/collect-all-release-notes.sh | 2 +- 38 files changed, 58 insertions(+), 58 deletions(-) diff --git a/docs/cli/certificate.md b/docs/cli/certificate.md index e199cc8de..e113cd5e9 100644 --- a/docs/cli/certificate.md +++ b/docs/cli/certificate.md @@ -142,7 +142,7 @@ If the script generated root and/or intermediate CA files, you should back up th To rotate custom CA certificates, use the `k3s certificate rotate-ca` subcommand. Updated files must be staged into a temporary directory, loaded into the datastore, and k3s must be restarted on all nodes to use the updated certificates. -:::caution +:::warning You must not overwrite the currently in-use data in `/var/lib/rancher/k3s/server/tls`. Stage the updated certificates and keys into a separate directory. ::: @@ -185,7 +185,7 @@ The token may be stored in a `.env` file, systemd unit, or config.yaml, dependin To rotate the K3s-generated self-signed CA certificates, use the `k3s certificate rotate-ca` subcommand. Updated files must be staged into a temporary directory, loaded into the datastore, and k3s must be restarted on all nodes to use the updated certificates. -:::caution +:::warning You must not overwrite the currently in-use data in `/var/lib/rancher/k3s/server/tls`. Stage the updated certificates and keys into a separate directory. ::: @@ -294,7 +294,7 @@ The service-account issuer key is an RSA private key used to sign service-accoun When rotating the service-account issuer key, at least one old key should be retained in the file so that existing service-account tokens are not invalidated. It can be rotated independent of the cluster CAs by using the `k3s certificate rotate-ca` to install only an updated `service.key` file that includes both the new and old keys. -:::caution +:::warning You must not overwrite the currently in-use data in `/var/lib/rancher/k3s/server/tls`. Stage the updated key into a separate directory. ::: diff --git a/docs/cli/secrets-encrypt.md b/docs/cli/secrets-encrypt.md index 56a74dcad..7f809a71f 100644 --- a/docs/cli/secrets-encrypt.md +++ b/docs/cli/secrets-encrypt.md @@ -19,7 +19,7 @@ K3s contains a CLI tool `secrets-encrypt`, which enables automatic control over - Rotating and deleting encryption keys - Reencrypting secrets -:::caution +:::warning Failure to follow proper procedure for rotating encryption keys can leave your cluster permanently corrupted. Proceed with caution. ::: diff --git a/docs/cli/token.md b/docs/cli/token.md index 5d177ee13..7238f9f12 100644 --- a/docs/cli/token.md +++ b/docs/cli/token.md @@ -55,7 +55,7 @@ The server token can be used to join both server and agent nodes to the cluster. The server token is also used as the [PBKDF2](https://en.wikipedia.org/wiki/PBKDF2) passphrase for the key used to encrypt confidential information that is persisted to the datastore, such as the secrets-encryption configuration, wireguard keys, and private keys for cluster CA certificates and service-account tokens. For this reason, the token must be backed up alongside the cluster datastore itself. -:::caution +:::warning Unless custom CA certificates are in use, only the short (password-only) token format can be used when starting the first server in the cluster. This is because the cluster CA hash cannot be known until after the server has generated the self-signed cluster CA certificates. ::: diff --git a/docs/datastore/backup-restore.md b/docs/datastore/backup-restore.md index c6998db0b..6975f2507 100644 --- a/docs/datastore/backup-restore.md +++ b/docs/datastore/backup-restore.md @@ -5,7 +5,7 @@ weight: 26 The way K3s is backed up and restored depends on which type of datastore is used. -:::caution +:::warning In addition to backing up the datastore itself, you must also back up the server token file at `/var/lib/rancher/k3s/server/token`. You must restore this file, or pass its value into the `--token` option, when restoring from backup. If you do not use the same token value when restoring, the snapshot will be unusable, as the token is used to encrypt confidential data within the datastore itself. diff --git a/docs/datastore/datastore.md b/docs/datastore/datastore.md index f98aca7b8..b74b2ddcb 100644 --- a/docs/datastore/datastore.md +++ b/docs/datastore/datastore.md @@ -26,7 +26,7 @@ K3s supports the following datastore options: * [MariaDB](https://mariadb.org/) (certified against version 10.6.8) * [PostgreSQL](https://www.postgresql.org/) (certified against versions 10.7, 11.5, and 14.2) -:::caution Prepared Statement Support +:::warning Prepared Statement Support K3s requires prepared statements support from the DB. This means that connection poolers such as [PgBouncer](https://www.pgbouncer.org/faq.html#how-to-use-prepared-statements-with-transaction-pooling) may require additional configuration to work with K3s. ::: diff --git a/docs/datastore/ha-embedded.md b/docs/datastore/ha-embedded.md index 49ceeee38..a9ebc80da 100644 --- a/docs/datastore/ha-embedded.md +++ b/docs/datastore/ha-embedded.md @@ -3,7 +3,7 @@ title: "High Availability Embedded etcd" weight: 40 --- -:::caution +:::warning Embedded etcd (HA) may have performance issues on slower disks such as Raspberry Pis running with SD cards. ::: diff --git a/docs/installation/network-options.md b/docs/installation/network-options.md index c88413b7c..d85683d42 100644 --- a/docs/installation/network-options.md +++ b/docs/installation/network-options.md @@ -138,7 +138,7 @@ Stable support is available as of [v1.23.7+k3s1](https://github.com/k3s-io/k3s/r ::: -:::caution Known Issue +:::warning Known Issue Before 1.27, Kubernetes [Issue #111695](https://github.com/kubernetes/kubernetes/issues/111695) causes the Kubelet to ignore the node IPv6 addresses if you have a dual-stack environment and you are not using the primary network interface for cluster traffic. To avoid this bug, use 1.27 or newer or add the following flag to both K3s servers and agents: @@ -162,7 +162,7 @@ Note that you may configure any valid `cluster-cidr` and `service-cidr` values, If you are using a custom CNI plugin, i.e. a CNI plugin other than Flannel, the additional configuration may be required. Please consult your plugin's dual-stack documentation and verify if network policies can be enabled. -:::caution Known Issue +:::warning Known Issue When defining cluster-cidr and service-cidr with IPv6 as the primary family, the node-ip of all cluster members should be explicitly set, placing node's desired IPv6 address as the first address. By default, the kubelet always uses IPv4 as the primary address family. ::: @@ -172,7 +172,7 @@ When defining cluster-cidr and service-cidr with IPv6 as the primary family, the Available as of [v1.22.9+k3s1](https://github.com/k3s-io/k3s/releases/tag/v1.22.9%2Bk3s1) ::: -:::caution Known Issue +:::warning Known Issue If your IPv6 default route is set by a router advertisement (RA), you will need to set the sysctl `net.ipv6.conf.all.accept_ra=2`; otherwise, the node will drop the default route once it expires. Be aware that accepting RAs could increase the risk of [man-in-the-middle attacks](https://github.com/kubernetes/kubernetes/issues/91507). ::: @@ -186,11 +186,11 @@ Single-stack IPv6 clusters (clusters without IPv4) are supported on K3s using th A K3s cluster can still be deployed on nodes which do not share a common private network and are not directly connected (e.g. nodes in different public clouds). There are two options to achieve this: the embedded k3s multicloud solution and the integration with the `tailscale` VPN provider. -:::caution Warning +:::warning The latency between nodes will increase as external connectivity requires more hops. This will reduce the network performance and could also impact the health of the cluster if latency is too high. ::: -:::caution Warning +:::warning Embedded etcd is not supported in this type of deployment. If using embedded etcd, all server nodes must be reachable to each other via their private IPs. Agents may be distributed over multiple networks, but all servers should be in the same location. ::: @@ -258,7 +258,7 @@ or provide that information in a file and use the parameter: Optionally, if you have your own Tailscale server (e.g. headscale), you can connect to it by appending `,controlServerURL=$URL` to the vpn-auth parameters -:::caution Warning +:::warning If you plan on running several K3s clusters using the same tailscale network, please create appropriate [ACLs](https://tailscale.com/kb/1018/acls/) to avoid IP conflicts or use different podCIDR subnets for each cluster. diff --git a/docs/installation/requirements.md b/docs/installation/requirements.md index 1c77cd4c8..824abb82c 100644 --- a/docs/installation/requirements.md +++ b/docs/installation/requirements.md @@ -21,7 +21,7 @@ K3s is available for the following architectures: - arm64/aarch64 - s390x -:::caution ARM64 Page Size +:::warning ARM64 Page Size Prior to May 2023 releases (v1.24.14+k3s1, v1.25.10+k3s1, v1.26.5+k3s1, v1.27.2+k3s1), on `aarch64/arm64` systems, the OS must use a 4k page size. **RHEL9**, **Ubuntu**, **Raspberry PI OS**, and **SLES** all meet this requirement. diff --git a/docs/installation/uninstall.md b/docs/installation/uninstall.md index 1d657ee6d..d615716be 100644 --- a/docs/installation/uninstall.md +++ b/docs/installation/uninstall.md @@ -3,7 +3,7 @@ title: Uninstalling K3s weight: 61 --- -:::caution +:::warning Uninstalling K3s deletes the local cluster data, configuration, and all of the scripts and CLI tools. It does not remove any data from external datastores, or created by pods using external Kubernetes storage volumes. ::: diff --git a/docs/release-notes/v1.24.X.md b/docs/release-notes/v1.24.X.md index 55175ff91..5a6a4b2de 100644 --- a/docs/release-notes/v1.24.X.md +++ b/docs/release-notes/v1.24.X.md @@ -4,7 +4,7 @@ hide_table_of_contents: true # v1.24.X -:::caution Upgrade Notice +:::warning Upgrade Notice Before upgrading from earlier releases, be sure to read the Kubernetes [Urgent Upgrade Notes](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#urgent-upgrade-notes). ::: @@ -35,7 +35,7 @@ Before upgrading from earlier releases, be sure to read the Kubernetes [Urgent U This release updates Kubernetes to v1.24.17, and fixes a number of issues. -:::caution IMPORTANT +:::warning IMPORTANT This release includes support for remediating CVE-2023-32187, a potential Denial of Service attack vector on K3s servers. See https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2 for more information, including mandatory steps necessary to harden clusters against this vulnerability. ::: diff --git a/docs/release-notes/v1.25.X.md b/docs/release-notes/v1.25.X.md index 0815284a6..ab1a3a69f 100644 --- a/docs/release-notes/v1.25.X.md +++ b/docs/release-notes/v1.25.X.md @@ -4,7 +4,7 @@ hide_table_of_contents: true # v1.25.X -:::caution Upgrade Notice +:::warning Upgrade Notice Before upgrading from earlier releases, be sure to read the Kubernetes [Urgent Upgrade Notes](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#urgent-upgrade-notes). ::: diff --git a/docs/release-notes/v1.26.X.md b/docs/release-notes/v1.26.X.md index 84ef70162..2a3d46bdd 100644 --- a/docs/release-notes/v1.26.X.md +++ b/docs/release-notes/v1.26.X.md @@ -4,7 +4,7 @@ hide_table_of_contents: true # v1.26.X -:::caution Upgrade Notice +:::warning Upgrade Notice Before upgrading from earlier releases, be sure to read the Kubernetes [Urgent Upgrade Notes](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#urgent-upgrade-notes). ::: diff --git a/docs/release-notes/v1.27.X.md b/docs/release-notes/v1.27.X.md index 2ba14d525..858432edd 100644 --- a/docs/release-notes/v1.27.X.md +++ b/docs/release-notes/v1.27.X.md @@ -4,7 +4,7 @@ hide_table_of_contents: true # v1.27.X -:::caution Upgrade Notice +:::warning Upgrade Notice Before upgrading from earlier releases, be sure to read the Kubernetes [Urgent Upgrade Notes](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#urgent-upgrade-notes). ::: diff --git a/docs/release-notes/v1.28.X.md b/docs/release-notes/v1.28.X.md index 35fbf9a1b..8d20ff871 100644 --- a/docs/release-notes/v1.28.X.md +++ b/docs/release-notes/v1.28.X.md @@ -4,7 +4,7 @@ hide_table_of_contents: true # v1.28.X -:::caution Upgrade Notice +:::warning Upgrade Notice Before upgrading from earlier releases, be sure to read the Kubernetes [Urgent Upgrade Notes](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#urgent-upgrade-notes). ::: diff --git a/docs/storage/storage.md b/docs/storage/storage.md index 111a1ac54..cad22f3a6 100644 --- a/docs/storage/storage.md +++ b/docs/storage/storage.md @@ -93,7 +93,7 @@ The status should be Bound for each. ## Setting up Longhorn -:::caution +:::warning Longhorn does not support ARM32. diff --git a/i18n/kr/docusaurus-plugin-content-docs/current/cli/certificate.md b/i18n/kr/docusaurus-plugin-content-docs/current/cli/certificate.md index 184044b3d..9df7531e9 100644 --- a/i18n/kr/docusaurus-plugin-content-docs/current/cli/certificate.md +++ b/i18n/kr/docusaurus-plugin-content-docs/current/cli/certificate.md @@ -142,7 +142,7 @@ If the script generated root and/or intermediate CA files, you should back up th To rotate custom CA certificates, use the `k3s certificate rotate-ca` subcommand. Updated files must be staged into a temporary directory, loaded into the datastore, and k3s must be restarted on all nodes to use the updated certificates. -:::caution +:::warning You must not overwrite the currently in-use data in `/var/lib/rancher/k3s/server/tls`. Stage the updated certificates and keys into a separate directory. ::: @@ -185,7 +185,7 @@ The token may be stored in a `.env` file, systemd unit, or config.yaml, dependin To rotate the K3s-generated self-signed CA certificates, use the `k3s certificate rotate-ca` subcommand. Updated files must be staged into a temporary directory, loaded into the datastore, and k3s must be restarted on all nodes to use the updated certificates. -:::caution +:::warning You must not overwrite the currently in-use data in `/var/lib/rancher/k3s/server/tls`. Stage the updated certificates and keys into a separate directory. ::: @@ -294,7 +294,7 @@ The service-account issuer key is an RSA private key used to sign service-accoun When rotating the service-account issuer key, at least one old key should be retained in the file so that existing service-account tokens are not invalidated. It can be rotated independent of the cluster CAs by using the `k3s certificate rotate-ca` to install only an updated `service.key` file that includes both the new and old keys. -:::caution +:::warning You must not overwrite the currently in-use data in `/var/lib/rancher/k3s/server/tls`. Stage the updated key into a separate directory. ::: diff --git a/i18n/kr/docusaurus-plugin-content-docs/current/cli/secrets-encrypt.md b/i18n/kr/docusaurus-plugin-content-docs/current/cli/secrets-encrypt.md index 56a74dcad..7f809a71f 100644 --- a/i18n/kr/docusaurus-plugin-content-docs/current/cli/secrets-encrypt.md +++ b/i18n/kr/docusaurus-plugin-content-docs/current/cli/secrets-encrypt.md @@ -19,7 +19,7 @@ K3s contains a CLI tool `secrets-encrypt`, which enables automatic control over - Rotating and deleting encryption keys - Reencrypting secrets -:::caution +:::warning Failure to follow proper procedure for rotating encryption keys can leave your cluster permanently corrupted. Proceed with caution. ::: diff --git a/i18n/kr/docusaurus-plugin-content-docs/current/cli/token.md b/i18n/kr/docusaurus-plugin-content-docs/current/cli/token.md index 7bcda2c63..d16646545 100644 --- a/i18n/kr/docusaurus-plugin-content-docs/current/cli/token.md +++ b/i18n/kr/docusaurus-plugin-content-docs/current/cli/token.md @@ -55,7 +55,7 @@ The server token can be used to join both server and agent nodes to the cluster. The server token is also used as the [PBKDF2](https://en.wikipedia.org/wiki/PBKDF2) passphrase for the key used to encrypt confidential information that is persisted to the datastore, such as the secrets-encryption configuration, wireguard keys, and private keys for cluster CA certificates and service-account tokens. For this reason, the token must be backed up alongside the cluster datastore itself. -:::caution +:::warning Unless custom CA certificates are in use, only the short (password-only) token format can be used when starting the first server in the cluster. This is because the cluster CA hash cannot be known until after the server has generated the self-signed cluster CA certificates. ::: diff --git a/i18n/kr/docusaurus-plugin-content-docs/current/datastore/backup-restore.md b/i18n/kr/docusaurus-plugin-content-docs/current/datastore/backup-restore.md index c6998db0b..6975f2507 100644 --- a/i18n/kr/docusaurus-plugin-content-docs/current/datastore/backup-restore.md +++ b/i18n/kr/docusaurus-plugin-content-docs/current/datastore/backup-restore.md @@ -5,7 +5,7 @@ weight: 26 The way K3s is backed up and restored depends on which type of datastore is used. -:::caution +:::warning In addition to backing up the datastore itself, you must also back up the server token file at `/var/lib/rancher/k3s/server/token`. You must restore this file, or pass its value into the `--token` option, when restoring from backup. If you do not use the same token value when restoring, the snapshot will be unusable, as the token is used to encrypt confidential data within the datastore itself. diff --git a/i18n/kr/docusaurus-plugin-content-docs/current/datastore/ha-embedded.md b/i18n/kr/docusaurus-plugin-content-docs/current/datastore/ha-embedded.md index 39eff7d92..96f3f53ef 100644 --- a/i18n/kr/docusaurus-plugin-content-docs/current/datastore/ha-embedded.md +++ b/i18n/kr/docusaurus-plugin-content-docs/current/datastore/ha-embedded.md @@ -12,7 +12,7 @@ Experimental support as of [v1.19.1+k3s1](https://github.com/k3s-io/k3s/releases Embedded etcd replaced experimental Dqlite in the K3s v1.19.1 release. This is a breaking change. Please note that upgrades from experimental Dqlite to embedded etcd are not supported. If you attempt an upgrade it will not succeed and data will be lost. ::: -:::caution +:::warning Embedded etcd (HA) may have performance issues on slower disks such as Raspberry Pis running with SD cards. ::: diff --git a/i18n/kr/docusaurus-plugin-content-docs/current/installation/network-options.md b/i18n/kr/docusaurus-plugin-content-docs/current/installation/network-options.md index 9c9886b34..97141d367 100644 --- a/i18n/kr/docusaurus-plugin-content-docs/current/installation/network-options.md +++ b/i18n/kr/docusaurus-plugin-content-docs/current/installation/network-options.md @@ -122,7 +122,7 @@ Stable support is available as of [v1.23.7+k3s1](https://github.com/k3s-io/k3s/r ::: -:::caution Known Issue +:::warning Known Issue Kubernetes v1.24 and v1.25 include [an issue](https://github.com/kubernetes/kubernetes/issues/111695) that ignores the node IPv6 addresses if you have a dual-stack environment and you are not using the primary network interface for cluster traffic. To avoid this bug, add the following flag to both K3s servers and agents: @@ -152,7 +152,7 @@ If you are using a custom CNI plugin, i.e. a CNI plugin other than Flannel, the Available as of [v1.22.9+k3s1](https://github.com/k3s-io/k3s/releases/tag/v1.22.9%2Bk3s1) ::: -:::caution Known Issue +:::warning Known Issue If your IPv6 default route is set by a router advertisement (RA), you will need to set the sysctl `net.ipv6.conf.all.accept_ra=2`; otherwise, the node will drop the default route once it expires. Be aware that accepting RAs could increase the risk of [man-in-the-middle attacks](https://github.com/kubernetes/kubernetes/issues/91507). ::: @@ -189,11 +189,11 @@ systemctl restart k3s ``` ::: -:::caution Warning +:::warning The latency between nodes will increase as external connectivity requires more hops. This will reduce the network performance and could also impact the health of the cluster if latency is too high. ::: -:::caution Warning +:::warning Embedded etcd will not use external IPs for communication. If using embedded etcd; all server nodes must be reachable to each other via their private IPs. ::: diff --git a/i18n/kr/docusaurus-plugin-content-docs/current/installation/uninstall.md b/i18n/kr/docusaurus-plugin-content-docs/current/installation/uninstall.md index 1d657ee6d..d615716be 100644 --- a/i18n/kr/docusaurus-plugin-content-docs/current/installation/uninstall.md +++ b/i18n/kr/docusaurus-plugin-content-docs/current/installation/uninstall.md @@ -3,7 +3,7 @@ title: Uninstalling K3s weight: 61 --- -:::caution +:::warning Uninstalling K3s deletes the local cluster data, configuration, and all of the scripts and CLI tools. It does not remove any data from external datastores, or created by pods using external Kubernetes storage volumes. ::: diff --git a/i18n/kr/docusaurus-plugin-content-docs/current/storage/storage.md b/i18n/kr/docusaurus-plugin-content-docs/current/storage/storage.md index 729b2edce..125d4bf53 100644 --- a/i18n/kr/docusaurus-plugin-content-docs/current/storage/storage.md +++ b/i18n/kr/docusaurus-plugin-content-docs/current/storage/storage.md @@ -95,7 +95,7 @@ kubectl get pvc ## Longhorn 구성하기 -:::caution +:::warning Longhorn은 ARM32를 지원하지 않습니다. diff --git a/i18n/zh/docusaurus-plugin-content-docs/current/cli/certificate.md b/i18n/zh/docusaurus-plugin-content-docs/current/cli/certificate.md index 6f8fd53df..e357dba3e 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/current/cli/certificate.md +++ b/i18n/zh/docusaurus-plugin-content-docs/current/cli/certificate.md @@ -142,7 +142,7 @@ curl -sL https://github.com/k3s-io/k3s/raw/master/contrib/util/generate-custom-c 要轮换自定义 CA 证书,请使用 `k3s certificate rotate-ca` 子命令。 更新后的文件必须暂存到一个临时目录中,加载到数据存储中,并且必须在所有节点上重启 K3s 才能使用更新后的证书。 -:::caution +:::warning 不要覆盖 `/var/lib/rancher/k3s/server/tls` 中正在使用的数据。 将更新的证书和密钥暂存到单独的目录中。 ::: @@ -185,7 +185,7 @@ Token 可能存储在 `.env` 文件、systemd 单元或 config.yaml 中,具体 要轮换 K3s 生成的自签名 CA 证书,请使用 `k3s certificate rotate-ca` 子命令。 更新后的文件必须暂存到一个临时目录中,加载到数据存储中,并且必须在所有节点上重启 K3s 才能使用更新后的证书。 -:::caution +:::warning 不要覆盖 `/var/lib/rancher/k3s/server/tls` 中正在使用的数据。 将更新的证书和密钥暂存到单独的目录中。 ::: @@ -294,7 +294,7 @@ service-account Issuer 密钥是用于签发 service-account Token 的 RSA 私 轮换 service-account Issuer 密钥时,文件中至少应保留一个旧密钥,以免现有 service-account Token 失效。 它可以通过使用 `k3s certificate rotate-ca` 独立于集群 CA 进行轮换,这样能仅安装包含新旧密钥的更新的 `service.key` 文件。 -:::caution +:::warning 不要覆盖 `/var/lib/rancher/k3s/server/tls` 中正在使用的数据。 将更新的密钥暂存到单独的目录中。 ::: diff --git a/i18n/zh/docusaurus-plugin-content-docs/current/cli/secrets-encrypt.md b/i18n/zh/docusaurus-plugin-content-docs/current/cli/secrets-encrypt.md index 8adc4dc38..d7fba5ac0 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/current/cli/secrets-encrypt.md +++ b/i18n/zh/docusaurus-plugin-content-docs/current/cli/secrets-encrypt.md @@ -19,7 +19,7 @@ K3s 包含一个 CLI 工具 `secrets-encrypt`,可以自动控制以下内容 - 轮换和删除加密密钥 - 重新加密 Secret -:::caution +:::warning 如果不遵循正确的加密密钥轮换程序,你的集群可能会永久损坏。因此,请谨慎操作。 ::: diff --git a/i18n/zh/docusaurus-plugin-content-docs/current/cli/token.md b/i18n/zh/docusaurus-plugin-content-docs/current/cli/token.md index b45dada1f..7598b57fe 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/current/cli/token.md +++ b/i18n/zh/docusaurus-plugin-content-docs/current/cli/token.md @@ -55,7 +55,7 @@ Server Token 可用于将 Server 和 Agent 节点加入集群。一旦创建了 Server Token 还用作密钥的 [PBKDF2](https://en.wikipedia.org/wiki/PBKDF2) 密码,该密钥用于加密持久保存到数据存储的机密信息,例如 Secret 加密配置、wireguard 密钥,集群 CA 证书的私钥以及 service-account Token。因此,Token 必须与集群数据存储一起备份。 -:::caution +:::warning 除非使用了自定义 CA 证书,否则在启动集群的第一个 Server 时只能使用短 Token 格式(仅密码)。这是因为只有在 Server 生成自签名集群 CA 证书后才能知道集群 CA 哈希值。 ::: diff --git a/i18n/zh/docusaurus-plugin-content-docs/current/datastore/backup-restore.md b/i18n/zh/docusaurus-plugin-content-docs/current/datastore/backup-restore.md index 814fb7919..66753cb0b 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/current/datastore/backup-restore.md +++ b/i18n/zh/docusaurus-plugin-content-docs/current/datastore/backup-restore.md @@ -5,7 +5,7 @@ weight: 26 K3s 的备份和恢复方式取决于你使用的数据存储类型。 -:::caution +:::warning 除了备份数据存储本身,你还必须备份位于 `/var/lib/rancher/k3s/server/token` 的 Server Token 文件。 使用备份进行恢复时,你必须恢复此文件,或将其值传递给 `--token` 选项。 由于 Token 用于加密数据存储内的凭证数据,因此如果还原时没有使用相同的 Token 值,快照将无法使用。 diff --git a/i18n/zh/docusaurus-plugin-content-docs/current/datastore/cluster-loadbalancer.md b/i18n/zh/docusaurus-plugin-content-docs/current/datastore/cluster-loadbalancer.md index e843b6f4e..596d615fb 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/current/datastore/cluster-loadbalancer.md +++ b/i18n/zh/docusaurus-plugin-content-docs/current/datastore/cluster-loadbalancer.md @@ -130,7 +130,7 @@ server-3 Ready control-plane,etcd,master 3m12s v1.27.3+k3s1 ## Nginx 负载均衡器 -:::caution +:::warning Nginx 本身不支持高可用性 (HA) 配置。如果设置 HA 集群,在 K3 前面使用单个负载均衡器将重新引入单一故障点。 ::: diff --git a/i18n/zh/docusaurus-plugin-content-docs/current/datastore/datastore.md b/i18n/zh/docusaurus-plugin-content-docs/current/datastore/datastore.md index 8cff1ddef..a461d2e1a 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/current/datastore/datastore.md +++ b/i18n/zh/docusaurus-plugin-content-docs/current/datastore/datastore.md @@ -26,7 +26,7 @@ K3s 支持以下数据存储选项: * [MariaDB](https://mariadb.org/)(针对版本 10.6.8 进行了认证) * [PostgreSQL](https://www.postgresql.org/)(针对版本 10.7、11.5 和 14.2 进行了认证) -:::caution 准备语句支持 +:::warning 准备语句支持 K3s 需要 DB 的准备语句支持。换言之,[PgBouncer](https://www.pgbouncer.org/faq.html#how-to-use-prepared-statements-with-transaction-pooling) 之类的连接池将无法与 K3s 一起使用。 ::: diff --git a/i18n/zh/docusaurus-plugin-content-docs/current/datastore/ha-embedded.md b/i18n/zh/docusaurus-plugin-content-docs/current/datastore/ha-embedded.md index 8003306de..226c2fdaf 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/current/datastore/ha-embedded.md +++ b/i18n/zh/docusaurus-plugin-content-docs/current/datastore/ha-embedded.md @@ -3,7 +3,7 @@ title: "高可用嵌入式 etcd" weight: 40 --- -:::caution +:::warning 嵌入式 etcd (HA) 在速度较慢的磁盘(例如使用 SD 卡运行的 Raspberry Pi)上可能会出现性能问题。 ::: diff --git a/i18n/zh/docusaurus-plugin-content-docs/current/installation/network-options.md b/i18n/zh/docusaurus-plugin-content-docs/current/installation/network-options.md index 4f3fd5072..2ebbe56e7 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/current/installation/network-options.md +++ b/i18n/zh/docusaurus-plugin-content-docs/current/installation/network-options.md @@ -139,7 +139,7 @@ K3s Agent 和 Server 维护节点之间的 websocket 隧道,这些隧道用于 ::: -:::caution 已知问题 +:::warning 已知问题 Kubernetes [Issue #111695](https://github.com/kubernetes/kubernetes/issues/111695) 导致了一个问题。如果你有一个双栈环境而且你没有为集群流量使用主要网卡,那么 Kubelet 会忽略节点 IPv6 地址。为避免此错误,请将以下标志添加到 K3s Server 和 Agent : @@ -169,7 +169,7 @@ Kubernetes [Issue #111695](https://github.com/kubernetes/kubernetes/issues/11169 从 [v1.22.9+k3s1](https://github.com/k3s-io/k3s/releases/tag/v1.22.9%2Bk3s1) 起可用 ::: -:::caution 已知问题 +:::warning 已知问题 如果你的 IPv6 默认路由是由路由器公告(RA)设置的,你需要设置 sysctl `net.ipv6.conf.all.accept_ra=2`。否则,一旦默认路由过期,节点将放弃该路由。请注意,接受 RA 可能会增加[中间人攻击](https://github.com/kubernetes/kubernetes/issues/91507)的风险。 ::: @@ -183,11 +183,11 @@ Kubernetes [Issue #111695](https://github.com/kubernetes/kubernetes/issues/11169 K3s 集群仍然可以部署在不共享公共私有网络且不直接连接的节点上(例如不同公有云中的节点)。有两种选择可以实现这一点:嵌入式 k3s 多云解决方案和集成 `tailscale` VPN 提供程序。 -:::caution 警告 +:::warning 警告 如果外部连接需要更多的跃点,那么节点之间的延迟会变高。延迟太高会降低网络性能,还可能影响集群的运行。 ::: -:::caution +:::warning 此类部署不支持嵌入式 etcd。如果使用嵌入式 etcd,所有 Server 节点必须可以通过其私有 IP 相互访问。Agent 可能分布在多个网络上,但所有 server 都应该位于同一位置。 ::: @@ -255,7 +255,7 @@ curl -fsSL https://tailscale.com/install.sh | sh 或者,如果你有自己的 Tailscale 服务器(例如 headscale),则可以通过将 `,controlServerURL=$URL` 附加到 vpn-auth 参数来连接它。 -:::caution 警告 +:::warning 警告 如果你计划使用同一个 tailscale 网络运行多个 K3s 集群,请创建适当的 [ACL](https://tailscale.com/kb/1018/acls/) 来避免 IP 冲突,或为每个集群使用不同的 podCIDR 子网。 diff --git a/i18n/zh/docusaurus-plugin-content-docs/current/installation/packaged-components.md b/i18n/zh/docusaurus-plugin-content-docs/current/installation/packaged-components.md index 00ad5ba0b..c1f649eae 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/current/installation/packaged-components.md +++ b/i18n/zh/docusaurus-plugin-content-docs/current/installation/packaged-components.md @@ -31,7 +31,7 @@ K3s 封装了很多组件,这些组件通过 `manifests` 目录部署为 AddOn > a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character > (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')` -:::caution +:::warning 如果你有多个 Server 节点,并在多个 Server 上放置了额外的 AddOn 清单,那么你需要确保文件在节点之间保持同步。K3s 不会在节点之间同步 AddOn 的内容。如果不同的 Server 尝试部署冲突的清单,那么可能会出现问题。 ::: diff --git a/i18n/zh/docusaurus-plugin-content-docs/current/installation/requirements.md b/i18n/zh/docusaurus-plugin-content-docs/current/installation/requirements.md index bb53aef5c..129818628 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/current/installation/requirements.md +++ b/i18n/zh/docusaurus-plugin-content-docs/current/installation/requirements.md @@ -21,7 +21,7 @@ K3s 适用于以下架构: - arm64/aarch64 - s390x -:::caution ARM64 页面大小 +:::warning ARM64 页面大小 在 2023 年 5 月版本(v1.24.14+k3s1、v1.25.10+k3s1、v1.26.5+k3s1、v1.27.2+k3s1)前,在 `aarch64/arm64` 系统上,操作系统必须使用 4k 页面大小。**RHEL9**、**Ubuntu**、**Raspberry PI OS** 和 **SLES** 都满足这个要求。 diff --git a/i18n/zh/docusaurus-plugin-content-docs/current/installation/uninstall.md b/i18n/zh/docusaurus-plugin-content-docs/current/installation/uninstall.md index 8cf8b497d..a3dca1751 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/current/installation/uninstall.md +++ b/i18n/zh/docusaurus-plugin-content-docs/current/installation/uninstall.md @@ -3,7 +3,7 @@ title: 卸载 K3s weight: 61 --- -:::caution +:::warning 卸载 K3s 会删除 local 集群数据、配置以及所有脚本和 CLI 工具。 不会删除外部数据存储中的任何数据,也不会删除使用外部 Kubernetes 存储卷的 Pod 创建的数据。 ::: diff --git a/i18n/zh/docusaurus-plugin-content-docs/current/networking/networking.md b/i18n/zh/docusaurus-plugin-content-docs/current/networking/networking.md index c904f77cf..06b8cbc30 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/current/networking/networking.md +++ b/i18n/zh/docusaurus-plugin-content-docs/current/networking/networking.md @@ -116,7 +116,7 @@ ServiceLB 控制器会监视 Kubernetes [Service](https://kubernetes.io/docs/con ::: -:::caution 警告 +:::warning 警告 启用此标志后,网络策略控制器将无法正常工作。 ::: @@ -149,6 +149,6 @@ spec: :::note 已拥有 CIDR 的节点无法获得新的 CIDR。你必须移除或重启它。 ::: -:::caution 警告 +:::warning 警告 你可以使用 `ipv4` 和 `ipv6` 来定义双栈 CIDR,但 `perNodeHostBits` 是相同的。使用 `--cluster-cidr` 来定义双栈配置时,`kube-controller` 上的 `--node-cidr-mask-size-ipv6` 标志需要具有与 IPv4 相同的大小。 ::: diff --git a/i18n/zh/docusaurus-plugin-content-docs/current/storage/storage.md b/i18n/zh/docusaurus-plugin-content-docs/current/storage/storage.md index 453e5debc..32acc8525 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/current/storage/storage.md +++ b/i18n/zh/docusaurus-plugin-content-docs/current/storage/storage.md @@ -93,7 +93,7 @@ kubectl get pvc ## 设置 Longhorn -:::caution +:::warning Longhorn 不支持 ARM32。 diff --git a/i18n/zh/docusaurus-plugin-content-docs/current/upgrades/automated.md b/i18n/zh/docusaurus-plugin-content-docs/current/upgrades/automated.md index 26dd43b4b..b186f239c 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/current/upgrades/automated.md +++ b/i18n/zh/docusaurus-plugin-content-docs/current/upgrades/automated.md @@ -25,7 +25,7 @@ weight: 20 1. 将 system-upgrade-controller 安装到集群中 1. 配置计划 -:::caution +:::warning 如果 K3s 集群由 Rancher 管理,你需要使用 Rancher UI 来管理升级。 - 如果 K3s 集群是导入到 Rancher 的,Rancher 将管理 system-upgrade-controller 部署和计划。不要按照此页面上的步骤操作。 - 如果 K3s 集群是由 Rancher 预配的,Rancher 将使用系统 Agent 来管理版本升级。不要按照此页面上的步骤操作。 diff --git a/scripts/collect-all-release-notes.sh b/scripts/collect-all-release-notes.sh index 377e80844..b505d9485 100755 --- a/scripts/collect-all-release-notes.sh +++ b/scripts/collect-all-release-notes.sh @@ -23,7 +23,7 @@ for minor in $MINORS; do title="---\nhide_table_of_contents: true\n---\n\n# ${minor}.X\n" echo -e "${title}" >> $k3s_table upgrade_link="[Urgent Upgrade Notes](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-${minor:1}.md#urgent-upgrade-notes)" - upgrade_warning=":::caution Upgrade Notice\nBefore upgrading from earlier releases, be sure to read the Kubernetes ${upgrade_link}.\n:::\n" + upgrade_warning=":::warning Upgrade Notice\nBefore upgrading from earlier releases, be sure to read the Kubernetes ${upgrade_link}.\n:::\n" echo -e "${upgrade_warning}" >> $k3s_table echo -n "| Version | Release date " >> $k3s_table echo "$body" | grep "^|" | tail -n+3 | awk -F'|' '{ print $2 }' | while read column; do echo -n "| $column " >> $k3s_table; done From 4097de950a4aa02000a78eab1e2cc21017cf42d8 Mon Sep 17 00:00:00 2001 From: Derek Nola Date: Mon, 20 Nov 2023 12:01:09 -0800 Subject: [PATCH 2/3] Migrate important -> info admonition Signed-off-by: Derek Nola --- docs/cli/certificate.md | 2 +- .../docusaurus-plugin-content-docs/current/cli/certificate.md | 2 +- .../docusaurus-plugin-content-docs/current/cli/certificate.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/cli/certificate.md b/docs/cli/certificate.md index e113cd5e9..e86f16e66 100644 --- a/docs/cli/certificate.md +++ b/docs/cli/certificate.md @@ -106,7 +106,7 @@ graph TD #### Using the Example Script -:::important +:::info Important If you want to sign the cluster CA certificates with an existing root CA using the example script, you must place the root and intermediate files in the target directory prior to running the script. If the files do not exist, the script will create new root and intermediate CA certificates. ::: diff --git a/i18n/kr/docusaurus-plugin-content-docs/current/cli/certificate.md b/i18n/kr/docusaurus-plugin-content-docs/current/cli/certificate.md index 9df7531e9..5ff3d499b 100644 --- a/i18n/kr/docusaurus-plugin-content-docs/current/cli/certificate.md +++ b/i18n/kr/docusaurus-plugin-content-docs/current/cli/certificate.md @@ -106,7 +106,7 @@ graph TD #### Using the Example Script -:::important +:::info 중요한 If you want to sign the cluster CA certificates with an existing root CA using the example script, you must place the root and intermediate files in the target directory prior to running the script. If the files do not exist, the script will create new root and intermediate CA certificates. ::: diff --git a/i18n/zh/docusaurus-plugin-content-docs/current/cli/certificate.md b/i18n/zh/docusaurus-plugin-content-docs/current/cli/certificate.md index e357dba3e..ec964874f 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/current/cli/certificate.md +++ b/i18n/zh/docusaurus-plugin-content-docs/current/cli/certificate.md @@ -106,7 +106,7 @@ graph TD #### 使用示例脚本 -:::important +:::info 重要的 如果要使用示例脚本通过现有根 CA 来签发集群 CA 证书,则必须在运行脚本之前将根文件和中间文件放在目标目录中。 如果文件不存在,脚本将创建新的根 CA 证书和中间 CA 证书。 ::: From 2567fecba5b8f2b87198767b61a382df48da56cf Mon Sep 17 00:00:00 2001 From: Derek Nola Date: Mon, 20 Nov 2023 12:11:42 -0800 Subject: [PATCH 3/3] Convert original warnings -> danger admonition Signed-off-by: Derek Nola --- docs/datastore/cluster-loadbalancer.md | 2 +- docs/installation/packaged-components.md | 2 +- docs/installation/requirements.md | 2 +- docs/release-notes/v1.28.X.md | 6 +++++- .../current/installation/packaged-components.md | 2 +- .../current/installation/requirements.md | 2 +- .../current/installation/requirements.md | 2 +- 7 files changed, 11 insertions(+), 7 deletions(-) diff --git a/docs/datastore/cluster-loadbalancer.md b/docs/datastore/cluster-loadbalancer.md index 74aaed303..7f56c56e8 100644 --- a/docs/datastore/cluster-loadbalancer.md +++ b/docs/datastore/cluster-loadbalancer.md @@ -130,7 +130,7 @@ server-3 Ready control-plane,etcd,master 3m12s v1.27.3+k3s1 ## Nginx Load Balancer -:::warning +:::danger Nginx does not natively support a High Availability (HA) configuration. If setting up an HA cluster, having a single load balancer in front of K3s will reintroduce a single point of failure. ::: diff --git a/docs/installation/packaged-components.md b/docs/installation/packaged-components.md index f3a6cce06..2738e8993 100644 --- a/docs/installation/packaged-components.md +++ b/docs/installation/packaged-components.md @@ -31,7 +31,7 @@ Here is en example of an error that would be reported if the file name contains a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')` -:::warning +:::danger If you have multiple server nodes, and place additional AddOn manifests on more than one server, it is your responsibility to ensure that files stay in sync across those nodes. K3s does not sync AddOn content between nodes, and cannot guarantee correct behavior if different servers attempt to deploy conflicting manifests. ::: diff --git a/docs/installation/requirements.md b/docs/installation/requirements.md index 824abb82c..a2d64b910 100644 --- a/docs/installation/requirements.md +++ b/docs/installation/requirements.md @@ -127,7 +127,7 @@ If you plan on achieving high availability with embedded etcd, server nodes must The VXLAN port on nodes should not be exposed to the world as it opens up your cluster network to be accessed by anyone. Run your nodes behind a firewall/security group that disables access to port 8472. ::: -:::warning +:::danger Flannel relies on the [Bridge CNI plugin](https://www.cni.dev/plugins/current/main/bridge/) to create a L2 network that switches traffic. Rogue pods with `NET_RAW` capabilities can abuse that L2 network to launch attacks such as [ARP spoofing](https://static.sched.com/hosted_files/kccncna19/72/ARP%20DNS%20spoof.pdf). Therefore, as documented in the [Kubernetes docs](https://kubernetes.io/docs/concepts/security/pod-security-standards/), please set a restricted profile that disables `NET_RAW` on non-trustable pods. ::: diff --git a/docs/release-notes/v1.28.X.md b/docs/release-notes/v1.28.X.md index 8d20ff871..9136d5fcb 100644 --- a/docs/release-notes/v1.28.X.md +++ b/docs/release-notes/v1.28.X.md @@ -123,9 +123,13 @@ For more details on what's new, see the [Kubernetes release notes](https://githu This release is K3S's first in the v1.28 line. This release updates Kubernetes to v1.28.1. -⚠️ IMPORTANT: This release includes remediation for CVE-2023-32187, a potential Denial of Service attack vector on K3s servers. See https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2 for more information, including documentation on changes in behavior that harden clusters against this vulnerability. +:::caution Important +This release includes remediation for CVE-2023-32187, a potential Denial of Service attack vector on K3s servers. See https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2 for more information, including documentation on changes in behavior that harden clusters against this vulnerability. +::: +:::danger Critical Regression Kubernetes v1.28 contains a critical regression ([kubernetes/kubernetes#120247](https://github.com/kubernetes/kubernetes/issues/120247)) that causes init containers to run at the same time as app containers following a restart of the node. This issue will be fixed in v1.28.2. We do not recommend using K3s v1.28 at this time if your application depends on init containers. +::: For more details on what's new, see the [Kubernetes release notes](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1270). diff --git a/i18n/kr/docusaurus-plugin-content-docs/current/installation/packaged-components.md b/i18n/kr/docusaurus-plugin-content-docs/current/installation/packaged-components.md index d0f7c9dcf..90adaa243 100644 --- a/i18n/kr/docusaurus-plugin-content-docs/current/installation/packaged-components.md +++ b/i18n/kr/docusaurus-plugin-content-docs/current/installation/packaged-components.md @@ -31,7 +31,7 @@ Here is en example of an error that would be reported if the file name contains a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')` -:::warning +:::danger If you have multiple server nodes, and place additional AddOn manifests on more than one server, it is your responsibility to ensure that files stay in sync across those nodes. K3s does not sync AddOn content between nodes, and cannot guarantee correct behavior if different servers attempt to deploy conflicting manifests. ::: diff --git a/i18n/kr/docusaurus-plugin-content-docs/current/installation/requirements.md b/i18n/kr/docusaurus-plugin-content-docs/current/installation/requirements.md index 1953b8110..9951aea7b 100644 --- a/i18n/kr/docusaurus-plugin-content-docs/current/installation/requirements.md +++ b/i18n/kr/docusaurus-plugin-content-docs/current/installation/requirements.md @@ -64,7 +64,7 @@ If you plan on achieving high availability with embedded etcd, server nodes must The VXLAN port on nodes should not be exposed to the world as it opens up your cluster network to be accessed by anyone. Run your nodes behind a firewall/security group that disables access to port 8472. ::: -:::warning +:::danger Flannel relies on the [Bridge CNI plugin](https://www.cni.dev/plugins/current/main/bridge/) to create a L2 network that switches traffic. Rogue pods with `NET_RAW` capabilities can abuse that L2 network to launch attacks such as [ARP spoofing](https://static.sched.com/hosted_files/kccncna19/72/ARP%20DNS%20spoof.pdf). Therefore, as documented in the [Kubernetes docs](https://kubernetes.io/docs/concepts/security/pod-security-standards/), please set a restricted profile that disables `NET_RAW` on non-trustable pods. ::: diff --git a/i18n/zh/docusaurus-plugin-content-docs/current/installation/requirements.md b/i18n/zh/docusaurus-plugin-content-docs/current/installation/requirements.md index 129818628..fa2aebdf4 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/current/installation/requirements.md +++ b/i18n/zh/docusaurus-plugin-content-docs/current/installation/requirements.md @@ -71,7 +71,7 @@ K3s Server 需要 6443 端口才能被所有节点访问。 节点上的 VXLAN 端口会开放集群网络,让任何人均能访问集群。因此,不要将 VXLAN 端口暴露给外界。请使用禁用 8472 端口的防火墙/安全组来运行节点。 ::: -:::warning +:::danger Flannel 依赖 [Bridge CNI 插件](https://www.cni.dev/plugins/current/main/bridge/)来创建交换流量的 L2 网络。具有 `NET_RAW` 功能的 Rogue pod 可以滥用该 L2 网络来发动攻击,如 [ARP 欺骗](https://static.sched.com/hosted_files/kccncna19/72/ARP%20DNS%20spoof.pdf)。因此,如 [Kubernetes 文档](https://kubernetes.io/docs/concepts/security/pod-security-standards/)所述,请设置一个受限配置文件,在不可信任的 Pod 上禁用 `NET_RAW`。 :::