From 030f4bb4ef9a93f1db641908b72acc6225d54b0f Mon Sep 17 00:00:00 2001 From: manuelbuil Date: Thu, 19 Dec 2024 18:28:31 +0100 Subject: [PATCH] Add codespell action Signed-off-by: manuelbuil --- .codespellrc | 5 ++++ .github/workflows/codespell.yml | 24 +++++++++++++++++ docs/install/windows_airgap.md | 2 +- docs/reference/linux_agent_config.md | 18 ++++++------- docs/reference/server_config.md | 26 +++++++++---------- docs/security/fips_support.md | 2 +- docs/security/hardening_guide.md | 2 +- docs/security/secrets_encryption.md | 2 +- .../current/install/windows_airgap.md | 2 +- 9 files changed, 56 insertions(+), 27 deletions(-) create mode 100644 .codespellrc create mode 100644 .github/workflows/codespell.yml diff --git a/.codespellrc b/.codespellrc new file mode 100644 index 00000000..7879e886 --- /dev/null +++ b/.codespellrc @@ -0,0 +1,5 @@ +[codespell] +skip = .git,./src,./node_modules,*.js,*.json,./build,./.github,yarn.lock,./scripts,MAINTAINERS,./docs/release-notes +check-filenames = true +ignore-words-list = aks,ec2,eks,gce,gcp,ro,shouldnot,pullrequest,readd,reenable,te,NotIn + diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml new file mode 100644 index 00000000..cda2cf9e --- /dev/null +++ b/.github/workflows/codespell.yml @@ -0,0 +1,24 @@ +name: Codespell +on: + push: + pull_request: + branches: + - main + workflow_dispatch: {} +jobs: + spellcheck: + name: Spell Check + runs-on: ubuntu-20.04 + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 1 + - name: Set up Python 🐍 + uses: actions/setup-python@v5 + - name: Install codespell + run: | + python -m pip install --upgrade pip + pip install codespell + - name: Check spelling + run: codespell diff --git a/docs/install/windows_airgap.md b/docs/install/windows_airgap.md index 0d569c20..341ac9d0 100644 --- a/docs/install/windows_airgap.md +++ b/docs/install/windows_airgap.md @@ -77,7 +77,7 @@ This will require a reboot for the `Containers` feature to properly function. ``` powershell $ProgressPreference = 'SilentlyContinue' - Invoke-WebRequest hhttps://github.com/rancher/rke2/releases/download/v1.26.10%2Brke2r2/rke2-windows-20H2-amd64-images.tar.zst -OutFile c:/var/lib/rancher/rke2/agent/images/rke2-windows-20H2-amd64-images.tar.zst + Invoke-WebRequest https://github.com/rancher/rke2/releases/download/v1.26.10%2Brke2r2/rke2-windows-20H2-amd64-images.tar.zst -OutFile c:/var/lib/rancher/rke2/agent/images/rke2-windows-20H2-amd64-images.tar.zst ``` - Use `rke2-windows--amd64.tar.gz` or `rke2-windows--amd64.tar.zst`. Zstandard offers better compression ratios and faster decompression speeds compared to pigz. diff --git a/docs/reference/linux_agent_config.md b/docs/reference/linux_agent_config.md index e5692fe4..fc120527 100644 --- a/docs/reference/linux_agent_config.md +++ b/docs/reference/linux_agent_config.md @@ -5,19 +5,19 @@ title: Agent Configuration Reference This is a reference to all parameters that can be used to configure the rke2 agent. Note that while this is a reference to the command line arguments, the best way to configure RKE2 is using the [configuration file](../install/configuration.md#configuration-file). ### Common -| Flag | Description | Default | Enviroment Variable | +| Flag | Description | Default | Environment Variable | | --- | --- | --- | --- | | config | Path to config file | /etc/rancher/rke2/config.yaml | RKE2_CONFIG_FILE | | debug | Turn on debug logs | | RKE2_DEBUG | | data-dir | Folder to hold state | "/var/lib/rancher/rke2" | | ### Cluster -| Flag | Description | Enviroment Variable | +| Flag | Description | Environment Variable | | --- | --- | --- | | token | Token to use for authentication | RKE2_TOKEN | | token-file | Token file to use for authentication | RKE2_TOKEN_FILE | | server | Server to connect to | RKE2_URL | ### Node -| Flag | Description | Default | Enviroment Variable | +| Flag | Description | Default | Environment Variable | | --- | --- | --- | --- | | node-name | Node name | | RKE2_NODE_NAME | | with-node-id | Append id to node name | | | @@ -40,13 +40,13 @@ This is a reference to all parameters that can be used to configure the rke2 age | --- | --- | | disable-default-registry-endpoint | Disables containerd's fallback default registry endpoint when a mirror is configured for that registry | ### Networking -| Flag | Description | Enviroment Variable | +| Flag | Description | Environment Variable | | --- | --- | --- | | node-ip | IPv4/IPv6 addresses to advertise for node | | | node-external-ip | IPv4/IPv6 external IP addresses to advertise for node | | | resolv-conf | Kubelet resolv.conf file | RKE2_RESOLV_CONF | ### Components -| Flag | Description | Enviroment Variable | +| Flag | Description | Environment Variable | | --- | --- | --- | | kubelet-arg | Customized flag for kubelet process | | | kube-proxy-arg | Customized flag for kube-proxy process | | @@ -66,7 +66,7 @@ This is a reference to all parameters that can be used to configure the rke2 age | etcd-extra-env | etcd extra environment variables | RKE2_ETCD_EXTRA_ENV | | cloud-controller-manager-extra-env | cloud-controller-manager extra environment variables | RKE2_CLOUD_CONTROLLER_MANAGER_EXTRA_ENV | ### Image -| Flag | Description | Enviroment Variable | +| Flag | Description | Environment Variable | | --- | --- | --- | | kube-apiserver-image | Override image to use for kube-apiserver | RKE2_KUBE_APISERVER_IMAGE | | kube-controller-manager-image | Override image to use for kube-controller-manager | RKE2_KUBE_CONTROLLER_MANAGER_IMAGE | @@ -77,17 +77,17 @@ This is a reference to all parameters that can be used to configure the rke2 age | runtime-image | Override image to use for runtime binaries (containerd, kubectl, crictl, etc) | RKE2_RUNTIME_IMAGE | | etcd-image | Override image to use for etcd | RKE2_ETCD_IMAGE | ### Cloud Provider -| Flag | Description | Enviroment Variable | +| Flag | Description | Environment Variable | | --- | --- | --- | | cloud-provider-name | Cloud provider name | RKE2_CLOUD_PROVIDER_NAME | | cloud-provider-config | Cloud provider configuration file path | RKE2_CLOUD_PROVIDER_CONFIG | ### Security -| Flag | Description | Enviroment Variable | +| Flag | Description | Environment Variable | | --- | --- | --- | | profile | Validate system configuration against the selected benchmark (valid items: cis, cis-1.23 (deprecated)) | RKE2_CIS_PROFILE | | audit-policy-file | Path to the file that defines the audit policy configuration | RKE2_AUDIT_POLICY_FILE | | pod-security-admission-config-file | Path to the file that defines Pod Security Admission configuration | RKE2_POD_SECURITY_ADMISSION_CONFIG_FILE | ### Experimental -| Flag | Description | Enviroment Variable | +| Flag | Description | Environment Variable | | --- | --- | --- | | kubelet-path | Override kubelet binary path | RKE2_KUBELET_PATH | diff --git a/docs/reference/server_config.md b/docs/reference/server_config.md index 27bb08c7..8ab311dd 100644 --- a/docs/reference/server_config.md +++ b/docs/reference/server_config.md @@ -19,7 +19,7 @@ The following options must be set to the same value on all servers in the cluste ### Common -| Flag | Description | Default | Enviroment Variable | +| Flag | Description | Default | Environment Variable | | --- | --- | --- | --- | | config | Path to config file | /etc/rancher/rke2/config.yaml | RKE2_CONFIG_FILE | | debug | Turn on debug logs | | RKE2_DEBUG | @@ -32,7 +32,7 @@ The following options must be set to the same value on all servers in the cluste | tls-san | Add additional hostnames or IPv4/IPv6 addresses as Subject Alternative Names on the server TLS cert | | | tls-san-security | Protect the server TLS cert by refusing to add Subject Alternative Names not associated with the kubernetes apiserver service, server nodes, or values of the tls-san option | true | ### Networking -| Flag | Description | Default | Enviroment Variable | +| Flag | Description | Default | Environment Variable | | --- | --- | --- | --- | | cluster-cidr | IPv4/IPv6 network CIDRs to use for pod IPs | 10.42.0.0/16 | | | service-cidr | IPv4/IPv6 network CIDRs to use for service IPs | 10.43.0.0/16 | | @@ -43,7 +43,7 @@ The following options must be set to the same value on all servers in the cluste | servicelb-namespace | Namespace of the pods for the servicelb component | "kube-system" | | | cni | CNI Plugins to deploy, one of none, calico, canal, cilium; optionally with multus as the first value to enable the multus meta-plugin | canal | RKE2_CNI | ### Client -| Flag | Description | Enviroment Variable | +| Flag | Description | Environment Variable | | --- | --- | --- | | write-kubeconfig | Write kubeconfig for admin client to this file | RKE2_KUBECONFIG_OUTPUT | | write-kubeconfig-mode | Write kubeconfig with this mode | RKE2_KUBECONFIG_MODE | @@ -52,7 +52,7 @@ The following options must be set to the same value on all servers in the cluste | --- | --- | | helm-job-image | Default image to use for helm jobs | ### Cluster -| Flag | Description | Enviroment Variable | +| Flag | Description | Environment Variable | | --- | --- | --- | | token | Shared secret used to join a server or agent to a cluster | RKE2_TOKEN | | token-file | File containing the token | RKE2_TOKEN_FILE | @@ -61,7 +61,7 @@ The following options must be set to the same value on all servers in the cluste | server | Server to connect to, used to join a cluster | RKE2_URL | | cluster-reset | Forget all peers and become sole member of a new cluster | RKE2_CLUSTER_RESET | ### Database -| Flag | Description | Default | Enviroment Variable | +| Flag | Description | Default | Environment Variable | | --- | --- | --- | --- | | cluster-reset-restore-path | Path to snapshot file to be restored | | | | etcd-expose-metrics | Expose etcd metrics to client interface. | false | | @@ -91,7 +91,7 @@ The following options must be set to the same value on all servers in the cluste | kube-scheduler-arg | Customized flag for kube-scheduler process | | kube-cloud-controller-manager-arg | Customized flag for kube-cloud-controller-manager process | ### Components -| Flag | Description | Enviroment Variable | +| Flag | Description | Environment Variable | | --- | --- | --- | | disable | Do not deploy packaged components and delete any deployed components (valid items: rke2-coredns, rke2-ingress-nginx, rke2-metrics-server) | | | disable-scheduler | Disable Kubernetes default scheduler | | @@ -114,7 +114,7 @@ The following options must be set to the same value on all servers in the cluste | etcd-extra-env | etcd extra environment variables | RKE2_ETCD_EXTRA_ENV | | cloud-controller-manager-extra-env | cloud-controller-manager extra environment variables | RKE2_CLOUD_CONTROLLER_MANAGER_EXTRA_ENV | ### Image -| Flag | Description | Enviroment Variable | +| Flag | Description | Environment Variable | | --- | --- | --- | | kube-apiserver-image | Override image to use for kube-apiserver | RKE2_KUBE_APISERVER_IMAGE | | kube-controller-manager-image | Override image to use for kube-controller-manager | RKE2_KUBE_CONTROLLER_MANAGER_IMAGE | @@ -125,24 +125,24 @@ The following options must be set to the same value on all servers in the cluste | runtime-image | Override image to use for runtime binaries (containerd, kubectl, crictl, etc) | RKE2_RUNTIME_IMAGE | | etcd-image | Override image to use for etcd | RKE2_ETCD_IMAGE | ### Cloud Provider -| Flag | Description | Enviroment Variable | +| Flag | Description | Environment Variable | | --- | --- | --- | | cloud-provider-name | Cloud provider name | RKE2_CLOUD_PROVIDER_NAME | | cloud-provider-config | Cloud provider configuration file path | RKE2_CLOUD_PROVIDER_CONFIG | ### Security -| Flag | Description | Enviroment Variable | +| Flag | Description | Environment Variable | | --- | --- | --- | | profile | Validate system configuration against the selected benchmark (valid items: cis, cis-1.23 (deprecated)) | RKE2_CIS_PROFILE | | audit-policy-file | Path to the file that defines the audit policy configuration | RKE2_AUDIT_POLICY_FILE | | pod-security-admission-config-file | Path to the file that defines Pod Security Admission configuration | RKE2_POD_SECURITY_ADMISSION_CONFIG_FILE | ### Experimental -| Flag | Description | Enviroment Variable | +| Flag | Description | Environment Variable | | --- | --- | --- | | embedded-registry | Enable embedded distributed container registry; requires use of embedded containerd | | | enable-pprof | Enable pprof endpoint on supervisor port | | | kubelet-path | Override kubelet binary path | RKE2_KUBELET_PATH | ### Agent/Node -| Flag | Description | Default | Enviroment Variable | +| Flag | Description | Default | Environment Variable | | --- | --- | --- | --- | | node-name | Node name | | RKE2_NODE_NAME | | with-node-id | Append id to node name | | | @@ -154,7 +154,7 @@ The following options must be set to the same value on all servers in the cluste | selinux | Enable SELinux in containerd | | RKE2_SELINUX | | lb-server-port | Local port for supervisor client load-balancer. If the supervisor and apiserver are not colocated an additional port 1 less than this port will also be used for the apiserver client load-balancer. | 6444 | RKE2_LB_SERVER_PORT | ### Agent/Runtime -| Flag | Description | Default | Enviroment Variable | +| Flag | Description | Default | Environment Variable | | --- | --- | --- | --- | | container-runtime-endpoint | Disable embedded containerd and use the CRI socket at the given path; when used with --docker this sets the docker socket path | | | | default-runtime | Set the default runtime in containerd | | | @@ -166,7 +166,7 @@ The following options must be set to the same value on all servers in the cluste | --- | --- | | disable-default-registry-endpoint | Disables containerd's fallback default registry endpoint when a mirror is configured for that registry | ### Agent/Networking -| Flag | Description | Enviroment Variable | +| Flag | Description | Environment Variable | | --- | --- | --- | | node-ip | IPv4/IPv6 addresses to advertise for node | | | node-external-ip | IPv4/IPv6 external IP addresses to advertise for node | | diff --git a/docs/security/fips_support.md b/docs/security/fips_support.md index 4cde787b..4a52c26a 100644 --- a/docs/security/fips_support.md +++ b/docs/security/fips_support.md @@ -4,7 +4,7 @@ title: FIPS 140-2 Enablement FIPS 140-2 is a U.S. Federal Government security standard used to approve cryptographic modules. This document explains how RKE2 is built with FIPS validated cryptographic libraries. -Verification of compliance is avaliable in: [FIPS 140-2 Verifed pdf](/RKE2_FIPS_Verified.pdf). +Verification of compliance is available in: [FIPS 140-2 Verified pdf](/RKE2_FIPS_Verified.pdf). ## Use of FIPS Compatible Go compiler. diff --git a/docs/security/hardening_guide.md b/docs/security/hardening_guide.md index 8151eac2..12041ea0 100644 --- a/docs/security/hardening_guide.md +++ b/docs/security/hardening_guide.md @@ -4,7 +4,7 @@ title: CIS Hardening Guide This document provides prescriptive guidance for hardening a production installation of RKE2. It outlines the configurations and controls required to address Kubernetes benchmark controls from the Center for Internet Security (CIS). -For more details about evaluating a hardened cluster against the official CIS benchmark, refer to the appropiate CIS Self-Assessment Guide: +For more details about evaluating a hardened cluster against the official CIS benchmark, refer to the appropriate CIS Self-Assessment Guide: - [CIS Self-Assessment Guide v1.8](cis_self_assessment18.md) for RKE2 v1.26 and newer - [CIS Self-Assessment Guide v1.7](cis_self_assessment17.md) for RKE2 v1.25 - [CIS Self-Assessment Guide v1.24](cis_self_assessment124.md) for RKE2 v1.24 and older diff --git a/docs/security/secrets_encryption.md b/docs/security/secrets_encryption.md index 50cdb00b..c2bd08d1 100644 --- a/docs/security/secrets_encryption.md +++ b/docs/security/secrets_encryption.md @@ -60,7 +60,7 @@ Failure to follow proper procedure when rotating secrets encryption keys can cau