From 5e524f5e7159f39ce8ff657edaa8de07f70ab5d4 Mon Sep 17 00:00:00 2001 From: Ray Zhou Date: Fri, 27 Nov 2020 21:19:14 +0800 Subject: [PATCH] re-org index 1. re-org chapter index 2. re-org release index 3. re-org introduction index 4. sync project admin to Chinese locale 5. sync toolbox to Chinese local Signed-off-by: Ray Zhou --- content/en/docs/introduction/advantages.md | 2 +- content/en/docs/introduction/architecture.md | 2 +- content/en/docs/introduction/features.md | 2 +- content/en/docs/introduction/glossary.md | 2 +- content/en/docs/introduction/scenarios.md | 2 +- .../docs/introduction/what-is-kubesphere.md | 2 +- content/en/docs/release/release-v200.md | 2 +- content/en/docs/release/release-v201.md | 2 +- content/en/docs/release/release-v202.md | 2 +- content/en/docs/release/release-v210.md | 2 +- content/en/docs/release/release-v211.md | 2 +- content/en/docs/release/release-v300.md | 2 +- .../_index.md | 2 +- content/zh/docs/api-reference/_index.md | 2 +- content/zh/docs/application-store/_index.md | 2 +- .../zh/docs/cluster-administration/_index.md | 2 +- content/zh/docs/devops-user-guide/_index.md | 2 +- content/zh/docs/faq/_index.md | 2 +- .../docs/installing-on-kubernetes/_index.md | 2 +- content/zh/docs/installing-on-linux/_index.md | 2 +- content/zh/docs/introduction/_index.md | 2 +- content/zh/docs/introduction/advantages.md | 2 +- content/zh/docs/introduction/architecture.md | 2 +- content/zh/docs/introduction/features.md | 2 +- content/zh/docs/introduction/glossary.md | 2 +- content/zh/docs/introduction/scenarios.md | 2 +- .../docs/introduction/what-is-kubesphere.md | 2 +- .../zh/docs/multicluster-management/_index.md | 2 +- .../zh/docs/pluggable-components/_index.md | 2 +- .../zh/docs/project-administration/_index.md | 33 +++ .../project-and-multicluster-project.md | 126 +++++++++++ .../project-administration/project-gateway.md | 10 + .../project-network-isolation.md | 181 +++++++++++++++ .../project-administration/project-quota.md | 10 + .../role-and-member-management.md | 92 ++++++++ content/zh/docs/project-user-guide/_index.md | 2 +- content/zh/docs/quick-start/_index.md | 2 +- content/zh/docs/release/_index.md | 2 +- content/zh/docs/release/release-v200.md | 2 +- content/zh/docs/release/release-v201.md | 2 +- content/zh/docs/release/release-v202.md | 2 +- content/zh/docs/release/release-v210.md | 2 +- content/zh/docs/release/release-v211.md | 2 +- content/zh/docs/release/release-v300.md | 2 +- content/zh/docs/toolbox/_index.md | 45 ++++ content/zh/docs/toolbox/auditing/_index.md | 7 + .../docs/toolbox/auditing/auditing-query.md | 69 ++++++ .../auditing/auditing-receive-customize.md | 181 +++++++++++++++ .../zh/docs/toolbox/auditing/auditing-rule.md | 212 ++++++++++++++++++ content/zh/docs/toolbox/events-query.md | 57 +++++ content/zh/docs/toolbox/history.md | 14 ++ content/zh/docs/toolbox/log-query.md | 86 +++++++ content/zh/docs/toolbox/web-kubectl.md | 51 +++++ .../docs/workspace-administration/_index.md | 2 +- 54 files changed, 1213 insertions(+), 39 deletions(-) create mode 100644 content/zh/docs/project-administration/_index.md create mode 100644 content/zh/docs/project-administration/project-and-multicluster-project.md create mode 100644 content/zh/docs/project-administration/project-gateway.md create mode 100644 content/zh/docs/project-administration/project-network-isolation.md create mode 100644 content/zh/docs/project-administration/project-quota.md create mode 100644 content/zh/docs/project-administration/role-and-member-management.md create mode 100644 content/zh/docs/toolbox/_index.md create mode 100644 content/zh/docs/toolbox/auditing/_index.md create mode 100644 content/zh/docs/toolbox/auditing/auditing-query.md create mode 100644 content/zh/docs/toolbox/auditing/auditing-receive-customize.md create mode 100644 content/zh/docs/toolbox/auditing/auditing-rule.md create mode 100644 content/zh/docs/toolbox/events-query.md create mode 100644 content/zh/docs/toolbox/history.md create mode 100644 content/zh/docs/toolbox/log-query.md create mode 100644 content/zh/docs/toolbox/web-kubectl.md diff --git a/content/en/docs/introduction/advantages.md b/content/en/docs/introduction/advantages.md index f70515638..aa793cb21 100644 --- a/content/en/docs/introduction/advantages.md +++ b/content/en/docs/introduction/advantages.md @@ -3,7 +3,7 @@ title: "Advantages" keywords: "KubeSphere, Kubernetes, Advantages" description: "KubeSphere Advantages" -weight: 1400 +weight: 2400 --- ## Vision diff --git a/content/en/docs/introduction/architecture.md b/content/en/docs/introduction/architecture.md index 859bd5e7d..d5b7ddbaa 100644 --- a/content/en/docs/introduction/architecture.md +++ b/content/en/docs/introduction/architecture.md @@ -4,7 +4,7 @@ keywords: "kubesphere, kubernetes, docker, helm, jenkins, istio, prometheus, dev description: "KubeSphere architecture" linkTitle: "Architecture" -weight: 1300 +weight: 2300 --- ## Separation of frontend and backend diff --git a/content/en/docs/introduction/features.md b/content/en/docs/introduction/features.md index db8b85040..d3ae998a0 100644 --- a/content/en/docs/introduction/features.md +++ b/content/en/docs/introduction/features.md @@ -4,7 +4,7 @@ keywords: "KubeSphere, Kubernetes, Docker, Jenkins, Istio, Features" description: "KubeSphere Key Features" linkTitle: "Features" -weight: 1200 +weight: 2200 --- ## Overview diff --git a/content/en/docs/introduction/glossary.md b/content/en/docs/introduction/glossary.md index b38fc4023..95b09c5be 100644 --- a/content/en/docs/introduction/glossary.md +++ b/content/en/docs/introduction/glossary.md @@ -3,7 +3,7 @@ title: "Glossary" keywords: 'kubernetes, docker, helm, jenkins, istio, prometheus' description: '' -weight: 1500 +weight: 2600 --- This document describes some frequently used glossaries in KubeSphere as shown below: diff --git a/content/en/docs/introduction/scenarios.md b/content/en/docs/introduction/scenarios.md index 3aea9595f..543cf46ef 100644 --- a/content/en/docs/introduction/scenarios.md +++ b/content/en/docs/introduction/scenarios.md @@ -3,7 +3,7 @@ title: "Use Cases" keywords: 'KubeSphere, Kubernetes, Multi-cluster, Observability, DevOps' description: 'Applicable in a variety of scenarios, KubeSphere provides enterprises with containerized environments with a complete set of features for management and operation.' -weight: 1498 +weight: 2500 --- KubeSphere is applicable in a variety of scenarios. For enterprises that deploy their business system on bare metal, their business modules are tightly coupled with each other. That means it is extremely difficult for resources to be horizontally scaled. In this connection, KubeSphere provides enterprises with containerized environments with a complete set of features for management and operation. It empowers enterprises to rise to the challenges in the middle of their digital transformation, including agile software development, automated operation and maintenance, microservices governance, traffic management, autoscaling, high availability, as well as DevOps and CI/CD. diff --git a/content/en/docs/introduction/what-is-kubesphere.md b/content/en/docs/introduction/what-is-kubesphere.md index 5620c8f4b..618d44e55 100644 --- a/content/en/docs/introduction/what-is-kubesphere.md +++ b/content/en/docs/introduction/what-is-kubesphere.md @@ -3,7 +3,7 @@ title: "What is KubeSphere" keywords: 'Kubernetes, KubeSphere, Introduction' description: 'What is KubeSphere' -weight: 1100 +weight: 2100 --- ## Overview diff --git a/content/en/docs/release/release-v200.md b/content/en/docs/release/release-v200.md index ba048fe22..b13521030 100644 --- a/content/en/docs/release/release-v200.md +++ b/content/en/docs/release/release-v200.md @@ -4,7 +4,7 @@ keywords: "kubernetes, docker, kubesphere, jenkins, istio, prometheus" description: "KubeSphere Release Notes For 2.0.0" linkTitle: "Release Notes - 2.0.0" -weight: 500 +weight: 1111 --- KubeSphere 2.0.0 was released on **May 18th, 2019**. diff --git a/content/en/docs/release/release-v201.md b/content/en/docs/release/release-v201.md index 2407dce8a..bc0696b0d 100644 --- a/content/en/docs/release/release-v201.md +++ b/content/en/docs/release/release-v201.md @@ -4,7 +4,7 @@ keywords: "kubernetes, docker, kubesphere, jenkins, istio, prometheus" description: "KubeSphere Release Notes For 2.0.1" linkTitle: "Release Notes - 2.0.1" -weight: 400 +weight: 1110 --- KubeSphere 2.0.1 was released on **June 9th, 2019**. diff --git a/content/en/docs/release/release-v202.md b/content/en/docs/release/release-v202.md index 3c8fec965..393f9b804 100644 --- a/content/en/docs/release/release-v202.md +++ b/content/en/docs/release/release-v202.md @@ -4,7 +4,7 @@ keywords: "kubernetes, docker, kubesphere, jenkins, istio, prometheus" description: "KubeSphere Release Notes For 2.0.2" linkTitle: "Release Notes - 2.0.2" -weight: 300 +weight: 1109 --- KubeSphere 2.0.2 was released on July 9, 2019, which fixes known bugs and enhances existing feature. If you have installed versions of 1.0.x, 2.0.0 or 2.0.1, please download KubeSphere installer v2.0.2 to upgrade. diff --git a/content/en/docs/release/release-v210.md b/content/en/docs/release/release-v210.md index ae876bee6..6b54b9ca8 100644 --- a/content/en/docs/release/release-v210.md +++ b/content/en/docs/release/release-v210.md @@ -4,7 +4,7 @@ keywords: "kubernetes, docker, kubesphere, jenkins, istio, prometheus" description: "KubeSphere Release Notes For 2.1.0" linkTitle: "Release Notes - 2.1.0" -weight: 200 +weight: 1108 --- KubeSphere 2.1.0 was released on Nov 11th, 2019, which fixes known bugs, adds some new features and brings some enhancement. If you have installed versions of 2.0.x, please upgrade it and enjoy the better user experience of v2.1.0. diff --git a/content/en/docs/release/release-v211.md b/content/en/docs/release/release-v211.md index d8acba698..e0552e68a 100644 --- a/content/en/docs/release/release-v211.md +++ b/content/en/docs/release/release-v211.md @@ -4,7 +4,7 @@ keywords: "kubernetes, docker, kubesphere, jenkins, istio, prometheus" description: "KubeSphere Release Notes For 2.1.1" linkTitle: "Release Notes - 2.1.1" -weight: 100 +weight: 1107 --- KubeSphere 2.1.1 was released on Feb 23rd, 2020, which has fixed known bugs and brought some enhancements. For the users who have installed versions of 2.0.x or 2.1.0, make sure to read the user manual carefully about how to upgrade before doing that, and feel free to raise any questions on [GitHub](https://github.com/kubesphere/kubesphere/issues). diff --git a/content/en/docs/release/release-v300.md b/content/en/docs/release/release-v300.md index 4ceb85a7c..bc48d0ac3 100644 --- a/content/en/docs/release/release-v300.md +++ b/content/en/docs/release/release-v300.md @@ -4,7 +4,7 @@ keywords: "Kubernetes, KubeSphere, release-notes" description: "KubeSphere Release Notes for 3.0.0" linkTitle: "Release Notes - 3.0.0" -weight: 50 +weight: 1106 --- ## How to get v3.0.0 diff --git a/content/zh/docs/access-control-and-account-management/_index.md b/content/zh/docs/access-control-and-account-management/_index.md index a7cdc5aee..64be1993d 100644 --- a/content/zh/docs/access-control-and-account-management/_index.md +++ b/content/zh/docs/access-control-and-account-management/_index.md @@ -4,7 +4,7 @@ description: "账户管理和权限控制" layout: "single" linkTitle: "账户管理和权限控制" -weight: 4500 +weight: 13000 icon: "/images/docs/docs.svg" diff --git a/content/zh/docs/api-reference/_index.md b/content/zh/docs/api-reference/_index.md index f84d1db69..7d6316707 100644 --- a/content/zh/docs/api-reference/_index.md +++ b/content/zh/docs/api-reference/_index.md @@ -5,7 +5,7 @@ layout: "single" linkTitle: "Reference" -weight: 8100 +weight: 18000 icon: "/images/docs/docs.svg" diff --git a/content/zh/docs/application-store/_index.md b/content/zh/docs/application-store/_index.md index 0ab538057..b62ce474a 100644 --- a/content/zh/docs/application-store/_index.md +++ b/content/zh/docs/application-store/_index.md @@ -5,7 +5,7 @@ layout: "single" linkTitle: "应用商店" -weight: 4600 +weight: 15000 icon: "/images/docs/docs.svg" diff --git a/content/zh/docs/cluster-administration/_index.md b/content/zh/docs/cluster-administration/_index.md index 1746500d3..24afd1a31 100644 --- a/content/zh/docs/cluster-administration/_index.md +++ b/content/zh/docs/cluster-administration/_index.md @@ -5,7 +5,7 @@ layout: "single" linkTitle: "集群管理" -weight: 4100 +weight: 9000 icon: "/images/docs/docs.svg" diff --git a/content/zh/docs/devops-user-guide/_index.md b/content/zh/docs/devops-user-guide/_index.md index 41daedb4b..782d85bc1 100644 --- a/content/zh/docs/devops-user-guide/_index.md +++ b/content/zh/docs/devops-user-guide/_index.md @@ -4,7 +4,7 @@ description: "如何使用 KubeSphere DevOps" layout: "single" linkTitle: "DevOps 用户指南" -weight: 4400 +weight: 12000 icon: "/images/docs/docs.svg" diff --git a/content/zh/docs/faq/_index.md b/content/zh/docs/faq/_index.md index f2c84e2f7..20f9e3f31 100644 --- a/content/zh/docs/faq/_index.md +++ b/content/zh/docs/faq/_index.md @@ -4,7 +4,7 @@ description: "FAQ is designed to answer and summarize the questions users ask mo layout: "single" linkTitle: "FAQ" -weight: 7000 +weight: 17000 icon: "/images/docs/docs.svg" --- diff --git a/content/zh/docs/installing-on-kubernetes/_index.md b/content/zh/docs/installing-on-kubernetes/_index.md index 298538d43..642220b96 100644 --- a/content/zh/docs/installing-on-kubernetes/_index.md +++ b/content/zh/docs/installing-on-kubernetes/_index.md @@ -4,7 +4,7 @@ description: "演示如何在云或本地托管的现有 Kubernetes 集群上安 layout: "single" linkTitle: "在 Kubernetes 上安装 KubeSphere" -weight: 2500 +weight: 5000 icon: "/images/docs/docs.svg" --- diff --git a/content/zh/docs/installing-on-linux/_index.md b/content/zh/docs/installing-on-linux/_index.md index f332b99be..73e0070c1 100644 --- a/content/zh/docs/installing-on-linux/_index.md +++ b/content/zh/docs/installing-on-linux/_index.md @@ -5,7 +5,7 @@ description: "演示如何在云上和本地 Linux 环境中安装 KubeSphere。 layout: "single" linkTitle: "在 Linux 上安装 KubeSphere" -weight: 2000 +weight: 4000 icon: "/images/docs/docs.svg" --- diff --git a/content/zh/docs/introduction/_index.md b/content/zh/docs/introduction/_index.md index 1d10518a2..c47531519 100644 --- a/content/zh/docs/introduction/_index.md +++ b/content/zh/docs/introduction/_index.md @@ -5,7 +5,7 @@ layout: "single" linkTitle: "产品介绍" -weight: 1000 +weight: 2000 icon: "/images/docs/docs.svg" diff --git a/content/zh/docs/introduction/advantages.md b/content/zh/docs/introduction/advantages.md index f70515638..aa793cb21 100644 --- a/content/zh/docs/introduction/advantages.md +++ b/content/zh/docs/introduction/advantages.md @@ -3,7 +3,7 @@ title: "Advantages" keywords: "KubeSphere, Kubernetes, Advantages" description: "KubeSphere Advantages" -weight: 1400 +weight: 2400 --- ## Vision diff --git a/content/zh/docs/introduction/architecture.md b/content/zh/docs/introduction/architecture.md index 3335a55c2..25a49fcc0 100644 --- a/content/zh/docs/introduction/architecture.md +++ b/content/zh/docs/introduction/architecture.md @@ -4,7 +4,7 @@ keywords: "kubesphere, kubernetes, docker, helm, jenkins, istio, prometheus, dev description: "KubeSphere 架构说明" linkTitle: "架构说明" -weight: 1300 +weight: 2300 --- ## 前后端分离 diff --git a/content/zh/docs/introduction/features.md b/content/zh/docs/introduction/features.md index c849f37ef..ba7dfc8cc 100644 --- a/content/zh/docs/introduction/features.md +++ b/content/zh/docs/introduction/features.md @@ -4,7 +4,7 @@ keywords: "KubeSphere, Kubernetes, Docker, Jenkins, Istio, Features, 平台功 description: "KubeSphere 平台功能" linkTitle: "平台功能" -weight: 1200 +weight: 2200 --- ## 概览 diff --git a/content/zh/docs/introduction/glossary.md b/content/zh/docs/introduction/glossary.md index 94737e2e0..fe77c8245 100644 --- a/content/zh/docs/introduction/glossary.md +++ b/content/zh/docs/introduction/glossary.md @@ -3,7 +3,7 @@ title: "名词解释" keywords: 'kubernetes, docker, helm, jenkins, istio, prometheus,名词解释' description: 'KubeSphere中常用的词汇释义' -weight: 1500 +weight: 2600 --- 本文档介绍了KubeSphere中一些常用的词汇表,如下所示: diff --git a/content/zh/docs/introduction/scenarios.md b/content/zh/docs/introduction/scenarios.md index 3aea9595f..543cf46ef 100644 --- a/content/zh/docs/introduction/scenarios.md +++ b/content/zh/docs/introduction/scenarios.md @@ -3,7 +3,7 @@ title: "Use Cases" keywords: 'KubeSphere, Kubernetes, Multi-cluster, Observability, DevOps' description: 'Applicable in a variety of scenarios, KubeSphere provides enterprises with containerized environments with a complete set of features for management and operation.' -weight: 1498 +weight: 2500 --- KubeSphere is applicable in a variety of scenarios. For enterprises that deploy their business system on bare metal, their business modules are tightly coupled with each other. That means it is extremely difficult for resources to be horizontally scaled. In this connection, KubeSphere provides enterprises with containerized environments with a complete set of features for management and operation. It empowers enterprises to rise to the challenges in the middle of their digital transformation, including agile software development, automated operation and maintenance, microservices governance, traffic management, autoscaling, high availability, as well as DevOps and CI/CD. diff --git a/content/zh/docs/introduction/what-is-kubesphere.md b/content/zh/docs/introduction/what-is-kubesphere.md index b15009791..516da0258 100644 --- a/content/zh/docs/introduction/what-is-kubesphere.md +++ b/content/zh/docs/introduction/what-is-kubesphere.md @@ -3,7 +3,7 @@ title: "什么是 KubeSphere" keywords: 'Kubernetes, KubeSphere, 介绍' description: '什么是 KubeSphere' -weight: 1100 +weight: 2100 --- ## 概述 diff --git a/content/zh/docs/multicluster-management/_index.md b/content/zh/docs/multicluster-management/_index.md index f0ef6c66b..e8ef38bb5 100644 --- a/content/zh/docs/multicluster-management/_index.md +++ b/content/zh/docs/multicluster-management/_index.md @@ -5,7 +5,7 @@ layout: "single" linkTitle: "多集群管理" -weight: 3000 +weight: 6000 icon: "/images/docs/docs.svg" --- diff --git a/content/zh/docs/pluggable-components/_index.md b/content/zh/docs/pluggable-components/_index.md index 5a32eb1ba..d5abaf0fc 100644 --- a/content/zh/docs/pluggable-components/_index.md +++ b/content/zh/docs/pluggable-components/_index.md @@ -5,7 +5,7 @@ layout: "single" linkTitle: "启用可插拔组件" -weight: 3500 +weight: 7000 icon: "/images/docs/docs.svg" --- diff --git a/content/zh/docs/project-administration/_index.md b/content/zh/docs/project-administration/_index.md new file mode 100644 index 000000000..f88bcbb66 --- /dev/null +++ b/content/zh/docs/project-administration/_index.md @@ -0,0 +1,33 @@ +--- +title: "Project Administration" +description: "Help you to better manage KubeSphere projects" +layout: "single" + +linkTitle: "Project Administration" +weight: 14000 + +icon: "/images/docs/docs.svg" + +--- + +A KubeSphere project is a Kubernetes namespace. There are two types of projects, the single-cluster project and the multi-cluster project. The former one is the regular Kubernetes namespace, while the latter one is the federation namespace across multiple clusters. As a project administrator, there are a bunch of work to do, such as setting project quotas, managing gateway, access control, etc. + +## [Projects and Multi-cluster Projects](../project-administration/project-and-multicluster-project/) + +Learn how to manage different types of projects. + +## [Project Quotas](../project-administration/project-quota/) + +Learn how to configure project quotas of resources such as workloads, CPU, memory. + +## [Project Gateway](../project-administration/project-gateway/) + +Understand the concept of project gateway and how to manage it. + +## [Project Network Isolation](../project-administration/project-network-isolation/) + +Understand the concept of network isolation and how to configure policies for a project. + +## [Role and Member Management](../project-administration/role-and-member-management/) + +Learn how to manage access control for a project. diff --git a/content/zh/docs/project-administration/project-and-multicluster-project.md b/content/zh/docs/project-administration/project-and-multicluster-project.md new file mode 100644 index 000000000..97dcdfc6c --- /dev/null +++ b/content/zh/docs/project-administration/project-and-multicluster-project.md @@ -0,0 +1,126 @@ +--- +title: "Projects and Multi-cluster Projects" +keywords: 'KubeSphere, Kubernetes, project, multicluster-project' +description: 'This tutorial introduces projects and multi-cluster projects.' + +linkTitle: "Projects and Multi-cluster Projects" +weight: 2100 +--- + +A project in KubeSphere is a Kubernetes [namespace](https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/), which is used to organize resources into non-overlapping groups. It represents a logical partitioning capability as it divides cluster resources between multiple tenants. + +A multi-cluster project runs across clusters, empowering users to achieve high availability and isolate occurring issues to a certain cluster while not affecting your business. For more information, see [Multi-cluster Management](../../multicluster-management/). + +This chapter demonstrates the basic operations of project administration, such as creation and deletion. + +## Prerequisites + +- You have an available workspace. +- You must have the authorization of **Projects Management**, which is included in the built-in role `workspace-self-provisioner`. +- You must enable the multi-cluster feature through [Direction Connection](../../multicluster-management/enable-multicluster/direct-connection/) or [Agent Connection](../../multicluster-management/enable-multicluster/agent-connection/) before you create a multi-cluster project. + +## Projects + +### Create a project + +1. Go to the **Projects** page of a workspace and click **Create**. + + ![create-project](/images/docs/project-admin/create-project.jpg) + + {{< notice note >}} + +- You can change the cluster where the project will be created on the **Cluster** drop-down list. The list is only visible after you enable the multi-cluster feature. +- If you cannot see the **Create** button, it means no cluster is available to use for your workspace. You need to contact the platform administrator or cluster administrator so that workspace resources can be created in the cluster. To assign a cluster to a workspace, the platform administrator or cluster administrator needs to edit [**Cluster Visibility**](../../cluster-administration/cluster-settings/cluster-visibility-and-authorization/) on the **Cluster Management** page. + + {{}} + +2. In the **Create Project** window that appears, enter a project name and add an alias or description if necessary. Select the cluster where the project will be created (this option does not appear if the multi-cluster feature is not enabled), and click **OK** to finish. + + ![create-project-page](/images/docs/project-admin/create-project-page.jpg) + +3. A project created will display in the list as shown below. You can click the project name to go to its **Overview** page. + + ![project-list](/images/docs/project-admin/project-list.jpg) + +### Edit project information + +1. Navigate to **Basic Info** under **Project Settings** and click **Manage Project** on the right. + + ![basic-info-page](/images/docs/project-admin/basic-info-page.jpg) + +2. Choose **Edit Info** from the drop-down menu. + + {{< notice note >}} + +The project name cannot be edited. If you want to change other information, see relevant chapters in the documentation. + + {{}} + +### Delete a project + +1. Navigate to **Basic Info** under **Project Settings** and click **Manage Project** on the right. + + ![basic-info-page](/images/docs/project-admin/basic-info-page.jpg) + +2. Choose **Delete Project** from the drop-down menu. + +3. In the dialog that appears, enter the project name and click **OK** to confirm the deletion. + + {{< notice warning >}} + +A project cannot be recovered once deleted and resources in the project will be removed as well. + + {{}} + +## Multi-cluster Projects + +### Create a multi-cluster project + +1. Go to the **Projects** page of a workspace, choose **Multi-cluster Projects** and click **Create**. + + ![create-multicluster-project](/images/docs/project-admin/create-multicluster-project.jpg) + + {{< notice note >}} + +- If you cannot see the **Create** button, it means no cluster is available to use for your workspace. You need to contact the platform administrator or cluster administrator so that workspace resources can be created in the cluster. To assign a cluster to a workspace, the platform administrator or cluster administrator needs to edit [**Cluster Visibility**](../../cluster-administration/cluster-settings/cluster-visibility-and-authorization/) on the **Cluster Management** page. +- Make sure at least two clusters are assigned to your workspace. + + {{}} + +2. In the **Create Multi-cluster Project** window that appears, enter a project name and add an alias or description if necessary. Select multiple clusters for your project by clicking **Add Cluster**, and click **OK** to finish. + + ![create-multicluster-project-page](/images/docs/project-admin/create-multicluster-project-page.jpg) + +3. A multi-cluster project created will display in the list as shown below. You can click the project name to go to its **Overview** page. + + ![multicluster-project-list](/images/docs/project-admin/multicluster-project-list.jpg) + +### Edit multi-cluster project information + +1. Navigate to **Basic Info** under **Project Settings** and click **Manage Project** on the right. + + ![basic-info-multicluster](/images/docs/project-admin/basic-info-multicluster.jpg) + +2. Choose **Edit Info** from the drop-down menu. + + {{< notice note >}} + +The project name cannot be edited. If you want to change other information, see relevant chapters in the documentation. + + {{}} + +### Delete a multi-cluster project + +1. Navigate to **Basic Info** under **Project Settings** and click **Manage Project** on the right. + + ![basic-info-multicluster](/images/docs/project-admin/basic-info-multicluster.jpg) + +2. Choose **Delete Project** from the drop-down menu. + +3. In the dialog that appears, enter the project name and click **OK** to confirm the deletion. + + {{< notice warning >}} + +A multi-cluster project cannot be recovered once deleted and resources in the project will be removed as well. + + {{}} diff --git a/content/zh/docs/project-administration/project-gateway.md b/content/zh/docs/project-administration/project-gateway.md new file mode 100644 index 000000000..538c5e126 --- /dev/null +++ b/content/zh/docs/project-administration/project-gateway.md @@ -0,0 +1,10 @@ +--- +title: "Project Gateway" +keywords: 'KubeSphere, kubernetes, docker, helm, jenkins, istio, prometheus' +description: 'Project Gateway' + +linkTitle: "Project Gateway" +weight: 2130 +--- + +TBD \ No newline at end of file diff --git a/content/zh/docs/project-administration/project-network-isolation.md b/content/zh/docs/project-administration/project-network-isolation.md new file mode 100644 index 000000000..164edf637 --- /dev/null +++ b/content/zh/docs/project-administration/project-network-isolation.md @@ -0,0 +1,181 @@ +--- +title: "Project Network Isolation" +keywords: 'KubeSphere, kubernetes, Calico, Network Policy' +description: 'Project Network Isolation' + +linkTitle: "Project Network Isolation" +weight: 2130 +--- + +KubeSphere project network isolation lets project administrators enforce which network traffic is allowed using rules. + +## Prerequisites + +- You have already enabled Network Policy. Please refer to [network-policy](../../pluggable-components/network-policy) if it is not ready yet. +- Use an account of the `admin` role at the project level. For example, use the account `project-admin` created in [Create Workspace, Project, Account and Role](../../quick-start/create-workspace-and-project/). + +{{< notice note >}} +For the implementation of the Network Policy, you can refer to [kubesphere-network-policy](https://github.com/kubesphere/community/blob/master/sig-network/concepts-and-designs/kubesphere-network-policy.md). +{{}} + +## Enable/Disable Project Network Isolation + +By default project network isolation is disabled, you can turn on network isolation via **Project Settings/Network Isolation** +![network-isolation-on](/images/docs/project-administration/network-isolation-on.png) + +{{< notice note >}} +When network isolation is turned on, egress traffic will be allowed by default, while ingress traffic will be denied for + different projects. But when you add an egress network policy, only traffic that matches your policy will be allowed to go out. +{{}} + +You can also disable network isolation via this path. +![network-isolation-off](/images/docs/project-administration/network-isolation-off.png) + +{{< notice note >}} +When network isolation is turned off, any previously created network policies will be deleted as well. +{{}} + +## Setting Network Policy + +If the default policy does not meet your needs when network isolation is enabled, you can customize your network policy +to meet your needs. Currently, you can add custom network policies in KubeSphere from two perspectives: + +- Cluster Internal +- Cluster External + +### Cluster Internal + +Network policies at the project level within a cluster are used to control whether resources in this project can be accessed by other projects within the same cluster, and which services you can access. + +Suppose a `nginx deployment` workload has been created in the other project `testProject` and is exposed via service `testService` on port `80` with `TCP`. + +#### Allow ingress traffic from workloads in a different project + +1. Select **Cluster Internal Allowlist** +2. Click **Add Allowlist** +3. Select type **Project** +4. Select project `testProject` +5. Select direction **Ingress** +6. Click **OK** + +{{< notice note >}} +If the network still doesn't work after you set the network policy, then you need to check if peer has set the corresponding egress rule. +{{}} + +#### Allow egress traffic to workloads selected by service + +1. Select **Cluster Internal Allowlist** +2. Click **Add Allowlist** +3. Select type **Service** +4. Select the project `testProject` +5. Select the service `testService` that you want to allow +6. Select direction **Egress** +7. Click **OK** + +{{< notice note >}} +When creating a service you must make sure that the selectors of the service are not empty. +{{}} + +### Cluster External + +Outside the cluster we distinguish between the peers by CIDR. + +Suppose a `tomcat deployment` workload has been created in this project and is exposed via `NodePort` service `testService` on NodePort `80` with `TCP`. +A client with ip address `192.168.1.1` will access this service, and the service will have access to the address `http://10.1.0.1:80`. + +#### Allow ingress traffic from client outside the cluster + +1. Select **Cluster External IP Address** +2. Select direction **Ingress** +3. Fill CIDR `192.168.1.1/32` +4. Select protocol `TCP` and fill port `80` +5. Click **OK** + +{{< notice note >}} +It is best to set `spec.externalTrafficPolicy` in the service configuration to `local`, so that the source address of the packet will not change, i.e. the source address of the packet is the source address of the client. +{{}} + +#### Allow egress traffic to service outside the cluster + +1. Select **Cluster External IP Address** +2. Select direction **Egress** +3. Fill CIDR `10.1.0.1/32` +4. Select protocol `TCP` and fill port `80` +5. Click **OK** + +{{< notice note >}} +In step 4, when you select **SCTP**, you must make sure the SCTP is [enabled](https://kubernetes.io/docs/concepts/services-networking/network-policies/#sctp-support). +{{}} + +### Best Practices + +To ensure that all Pods in the project are secure, a best practice is to enable network isolation. + +When network isolation is on, the project cannot be accessed by other projects. If your workloads need to be accessed by others, you can follow these steps: + +1. Set gateway via **[Project Settings/Advanced Settings](../project-gateway/)**. +2. Expose workloads that need to be accessed to a gateway via a service. +3. Allow ingress traffic from the namespace where you gateway locate. + +If egress traffic is controlled, you should have a clear plan of what projects, services, and IP addresses can be accessed, and then add them one by one. +If you're not sure what you want, then you'd better keep your network policy unchanged. + +## FAQs + +Q: **Why can't the custom monitoring system of KubeSphere get data after I enabled network isolation?** + +A: After you enabled custom monitoring, KubeSphere monitoring system will access the metrics of the Pod. You need to allow ingress traffic for KubeSphere monitoring system. Otherwise, it cannot access Pod metrics. + +Here KubeSphere provides a configuration item `allowedIngressNamespaces`to simplify similar configurations, which allows you to allow all projects + listed in the configuration. + +```yaml +root@node1:~# kubectl get -n kubesphere-system clusterconfigurations.installer.kubesphere.io ks-installer -o yaml +apiVersion: installer.kubesphere.io/v1alpha1 +kind: ClusterConfiguration +metadata: + ... + name: ks-installer + namespace: kubesphere-system + ... +spec: + ... + networkpolicy: + enabled: true + nsnpOptions: + allowedIngressNamespaces: + - kubesphere-system + - kubesphere-monitoring-system + ... +``` + +Q: **Why can't I access the service even after setting network policy through the service?** + +A: When you add a network policy and access the service via cluster ip, if the network is not + working, check the kube-proxy configuration to see if `masqueradeAll` is `false`. + + ```yaml + root@node1:~# kubectl get cm -n kube-system kube-proxy -o yaml + apiVersion: v1 + data: + config.conf: |- + ... + iptables: + masqueradeAll: false + ... + ... + kind: ConfigMap + metadata: + ... + labels: + app: kube-proxy + name: kube-proxy + namespace: kube-system + ... + ``` + +Q: **How do I determine the CIDR when I set the ingress policy?** + +A: In K8s, the source ip address of the packet is often handled by nat, + so you need to figure out what the source address of the packet will be before you add the rule. + Here you can refer to [Source IP](https://github.com/kubesphere/community/blob/master/sig-network/concepts-and-designs/kubesphere-network-policy.md#source-ip). diff --git a/content/zh/docs/project-administration/project-quota.md b/content/zh/docs/project-administration/project-quota.md new file mode 100644 index 000000000..df438bd54 --- /dev/null +++ b/content/zh/docs/project-administration/project-quota.md @@ -0,0 +1,10 @@ +--- +title: "Project Quotas" +keywords: 'kubernetes, docker, helm, jenkins, istio, prometheus' +description: 'Project Quotas' + +linkTitle: "Project Quotas" +weight: 2110 +--- + +TBD diff --git a/content/zh/docs/project-administration/role-and-member-management.md b/content/zh/docs/project-administration/role-and-member-management.md new file mode 100644 index 000000000..f1e65da03 --- /dev/null +++ b/content/zh/docs/project-administration/role-and-member-management.md @@ -0,0 +1,92 @@ +--- +title: "Role and Member Management" +keywords: 'KubeSphere, Kubernetes, role, member, management, project' +description: 'Role and Member Management in a Project' + +linkTitle: "Role and Member Management" +weight: 2130 +--- + +This guide demonstrates how to manage roles and members in your project. For more information about KubeSphere roles, see Overview of Role Management. + +In project scope, you can grant the following resources' permissions to a role: + +- Application Workloads +- Storage +- Configurations +- Monitoring & Alerting +- Project Settings +- Access Control + +## Prerequisites + +At least one project has been created, such as `demo-project`. Besides, you need an account of the `admin` role (e.g. `project-admin`) at the project level. See [Create Workspace, Project, Account and Role](../../quick-start/create-workspace-and-project/) if it is not ready yet. + +## Built-in Roles + +In **Project Roles**, there are three available built-in roles as shown below. Built-in roles are created automatically by KubeSphere when a project is created and they cannot be edited or deleted. You can only view permissions and authorized user list. + +| Built-in Roles | Description | +| ------------------ | ------------------------------------------------------------ | +| viewer | The viewer who can view all resources in the project. | +| operator | The maintainer of the project who can manage resources other than users and roles in the project. | +| admin | The administrator in the project who can perform any action on any resource. It gives full control over all resources in the project. | + +1. In **Project Roles**, click `admin` and you can see the role detail as shown below. + + ![view role details](/images/docs/project-admin/project_role_detail.png) + +2. You can switch to **Authorized Users** tab to see all the users that are granted an `admin` role. + +## Create a Project Role + +1. Log in the console as `project-admin` and select a project (e.g. `demo-project`) under **Projects** list. + + {{< notice note >}} + +The account `project-admin` is used as an example. As long as the account you are using is granted a role including the authorization of **Project Members View**, **Project Roles Management** and **Project Roles View** in **Access Control** at project level, it can create a project role. + + {{}} + +2. Go to **Project Roles** in **Project Settings**, click **Create** and set a **Role Identifier**. In this example, a role named `project-monitor` will be created. Click **Edit Authorization** to continue. + + ![Create a project role](/images/docs/project-admin/project_role_create_step1.png) + +3. Select the authorization that you want the user granted this role to have. For example, **Application Workloads View** in **Application Workloads**, and **Alerting Messages View** and **Alerting Policies View** in **Monitoring & Alerting** are selected for this role. Click **OK** to finish. + + ![Edit Authorization](/images/docs/project-admin/project_role_create_step2.png) + + {{< notice note >}} + +**Depend on** means the major authorization (the one listed after **Depend on**) needs to be selected first so that the affiliated authorization can be assigned. + + {{}} + +4. Newly-created roles will be listed in **Project Roles**. You can click the three dots on the right to edit it. + + ![Edit Roles](/images/docs/project-admin/project_role_list.png) + + {{< notice note >}} + +The role of `project-monitor` is only granted limited permissions in **Monitoring & Alerting**, which may not satisfy your need. This example is only for demonstration purpose. You can create customized roles based on your needs. + + {{}} + +## Invite a New Member + +1. In **Project Settings**, select **Project Members** and click **Invite Member**. +2. Invite a user to the project. Grant the role of `project-monitor` to the user. + + ![invite member](/images/docs/project-admin/project_invite_member_step2.png) + + {{< notice note >}} + +The user must be invited to the project's workspace first. + + {{}} + +3. After you add a user to the project, click **OK**. In **Project Members**, you can see the newly invited member listed. + +4. You can also change the role of an existing member by editing it or remove it from the project. + + ![edit member role](/images/docs/project-admin/project_user_edit.png) diff --git a/content/zh/docs/project-user-guide/_index.md b/content/zh/docs/project-user-guide/_index.md index bd0dbac2f..5ca3625a0 100644 --- a/content/zh/docs/project-user-guide/_index.md +++ b/content/zh/docs/project-user-guide/_index.md @@ -4,7 +4,7 @@ description: "帮助您更好地管理 KubeSphere 项目中的资源" layout: "single" linkTitle: "项目用户指南" -weight: 4300 +weight: 11000 icon: "/images/docs/docs.svg" --- diff --git a/content/zh/docs/quick-start/_index.md b/content/zh/docs/quick-start/_index.md index 30801cb5c..192b851d2 100644 --- a/content/zh/docs/quick-start/_index.md +++ b/content/zh/docs/quick-start/_index.md @@ -5,7 +5,7 @@ layout: "single" linkTitle: "快速入门" -weight: 1500 +weight: 3000 icon: "/images/docs/docs.svg" diff --git a/content/zh/docs/release/_index.md b/content/zh/docs/release/_index.md index 9f28c2119..fffea6a0f 100644 --- a/content/zh/docs/release/_index.md +++ b/content/zh/docs/release/_index.md @@ -5,7 +5,7 @@ layout: "single" linkTitle: "Release Notes" -weight: 1 +weight: 1000 icon: "/images/docs/docs.svg" diff --git a/content/zh/docs/release/release-v200.md b/content/zh/docs/release/release-v200.md index ba048fe22..b13521030 100644 --- a/content/zh/docs/release/release-v200.md +++ b/content/zh/docs/release/release-v200.md @@ -4,7 +4,7 @@ keywords: "kubernetes, docker, kubesphere, jenkins, istio, prometheus" description: "KubeSphere Release Notes For 2.0.0" linkTitle: "Release Notes - 2.0.0" -weight: 500 +weight: 1111 --- KubeSphere 2.0.0 was released on **May 18th, 2019**. diff --git a/content/zh/docs/release/release-v201.md b/content/zh/docs/release/release-v201.md index 2407dce8a..bc0696b0d 100644 --- a/content/zh/docs/release/release-v201.md +++ b/content/zh/docs/release/release-v201.md @@ -4,7 +4,7 @@ keywords: "kubernetes, docker, kubesphere, jenkins, istio, prometheus" description: "KubeSphere Release Notes For 2.0.1" linkTitle: "Release Notes - 2.0.1" -weight: 400 +weight: 1110 --- KubeSphere 2.0.1 was released on **June 9th, 2019**. diff --git a/content/zh/docs/release/release-v202.md b/content/zh/docs/release/release-v202.md index 3c8fec965..393f9b804 100644 --- a/content/zh/docs/release/release-v202.md +++ b/content/zh/docs/release/release-v202.md @@ -4,7 +4,7 @@ keywords: "kubernetes, docker, kubesphere, jenkins, istio, prometheus" description: "KubeSphere Release Notes For 2.0.2" linkTitle: "Release Notes - 2.0.2" -weight: 300 +weight: 1109 --- KubeSphere 2.0.2 was released on July 9, 2019, which fixes known bugs and enhances existing feature. If you have installed versions of 1.0.x, 2.0.0 or 2.0.1, please download KubeSphere installer v2.0.2 to upgrade. diff --git a/content/zh/docs/release/release-v210.md b/content/zh/docs/release/release-v210.md index ae876bee6..6b54b9ca8 100644 --- a/content/zh/docs/release/release-v210.md +++ b/content/zh/docs/release/release-v210.md @@ -4,7 +4,7 @@ keywords: "kubernetes, docker, kubesphere, jenkins, istio, prometheus" description: "KubeSphere Release Notes For 2.1.0" linkTitle: "Release Notes - 2.1.0" -weight: 200 +weight: 1108 --- KubeSphere 2.1.0 was released on Nov 11th, 2019, which fixes known bugs, adds some new features and brings some enhancement. If you have installed versions of 2.0.x, please upgrade it and enjoy the better user experience of v2.1.0. diff --git a/content/zh/docs/release/release-v211.md b/content/zh/docs/release/release-v211.md index d8acba698..1e0f7cb27 100644 --- a/content/zh/docs/release/release-v211.md +++ b/content/zh/docs/release/release-v211.md @@ -4,7 +4,7 @@ keywords: "kubernetes, docker, kubesphere, jenkins, istio, prometheus" description: "KubeSphere Release Notes For 2.1.1" linkTitle: "Release Notes - 2.1.1" -weight: 100 +weight: 1007 --- KubeSphere 2.1.1 was released on Feb 23rd, 2020, which has fixed known bugs and brought some enhancements. For the users who have installed versions of 2.0.x or 2.1.0, make sure to read the user manual carefully about how to upgrade before doing that, and feel free to raise any questions on [GitHub](https://github.com/kubesphere/kubesphere/issues). diff --git a/content/zh/docs/release/release-v300.md b/content/zh/docs/release/release-v300.md index 4ceb85a7c..59d523fb7 100644 --- a/content/zh/docs/release/release-v300.md +++ b/content/zh/docs/release/release-v300.md @@ -4,7 +4,7 @@ keywords: "Kubernetes, KubeSphere, release-notes" description: "KubeSphere Release Notes for 3.0.0" linkTitle: "Release Notes - 3.0.0" -weight: 50 +weight: 1006 --- ## How to get v3.0.0 diff --git a/content/zh/docs/toolbox/_index.md b/content/zh/docs/toolbox/_index.md new file mode 100644 index 000000000..c680cffac --- /dev/null +++ b/content/zh/docs/toolbox/_index.md @@ -0,0 +1,45 @@ +--- +title: "Toolbox" +description: "Help you to better understand KubeSphere toolbox" +layout: "single" + +linkTitle: "Toolbox" + +weight: 16000 + +icon: "/images/docs/docs.svg" +--- + +KubeSphere provides several important functionalities from the toolbox. This chapter demonstrates how to use toolbox of KubeSphere to perform event, log, auditing log queries and run commands with web kubectl. + +![toolbox](/images/docs/toolbox/toolbox.png) + +## [Log Query](../toolbox/log-query/) + +Understand how you can perform quick log queries to keep track of the latest logs of your cluster. + +## [Event Query](../toolbox/events-query/) + +Understand how you can perform quick event queries to keep track of the latest events of your cluster. + +## Auditing + +### [Receive and Customize Auditing Logs](../toolbox/auditing/auditing-receive-customize/) + +Learn how to receive and customize auditing logs. + +### [Auditing Rule](../toolbox/auditing/auditing-rule/) + +Understand the auditing rule and how to customize a rule for processing auditing logs. + +### [Auditing Log Query](../toolbox/auditing/auditing-query/) + +Understand how you can perform quick auditing log queries to keep track of the latest audits of your cluster. + +## [Web Kubectl](../toolbox/web-kubectl/) + +The web kubectl tool is integrated into KubeSphere to provide consistent user experiences for Kubernetes users. + +## [History](../toolbox/history/) + +Learn how to quickly switch between the resources you access in your workspace. diff --git a/content/zh/docs/toolbox/auditing/_index.md b/content/zh/docs/toolbox/auditing/_index.md new file mode 100644 index 000000000..5ae16767b --- /dev/null +++ b/content/zh/docs/toolbox/auditing/_index.md @@ -0,0 +1,7 @@ +--- +linkTitle: "Auditing" +weight: 5510 + +_build: + render: false +--- diff --git a/content/zh/docs/toolbox/auditing/auditing-query.md b/content/zh/docs/toolbox/auditing/auditing-query.md new file mode 100644 index 000000000..9e23c78bf --- /dev/null +++ b/content/zh/docs/toolbox/auditing/auditing-query.md @@ -0,0 +1,69 @@ +--- +title: "Auditing Log Query" +keywords: "Kubernetes, KubeSphere, auditing, log, query" +description: "How to perform queries of auditing logs in KubeSphere." + +linkTitle: "Auditing Log Query" +weight: 4914 +--- + +KubeSphere supports the query of auditing logs among isolated tenants. In this tutorial, you will learn how to use the query function, including the interface, search parameters and detail pages. + +## Prerequisites + +You need to enable [KubeSphere Auditing Logs](../../../pluggable-components/auditing-logs/). + +## Enter Query Dashboard + +1. The query function is available for all users. Log in the console with any account, hover over the **Toolbox** in the lower right corner and select **Auditing Operating**. + +{{< notice note >}} + +Any account has the authorization to query auditing logs, while the logs each account is able to see are different. + +- If an account has the authorization of viewing resources in a project, it can see the auditing log that happens in this project, such as workload creation in the project. +- If an account has the authorization of listing projects in a workspace, it can see the auditing log that happens in this workspace but not in projects, such as project creation in the workspace. +- If an account has the authorization of listing projects in a cluster, it can see the auditing log that happens in this cluster but not in workspaces and projects, such as workspace creation in the cluster. + +{{}} + + ![auditing-operating-ui](/images/docs/toolbox/auditing-operating-ui.jpg) + +2. As shown in the pop-up window, you can see trends in the total number of auditing logs in the last 12 hours. + +![Auditing Operating](/images/docs/toolbox/auditing-operating.png) + +3. The **Auditing Operating** console supports the following query parameters: + +![Auditing Log Filter](/images/docs/toolbox/auditing-log-filter.png) + + Parameter | Description + --- | --- + Cluster | The cluster where the operation happens. It is enabled if the [multi-cluster feature](../../../multicluster-management/) is turned on. + Project | The project where the operation happens. It supports exact query and fuzzy query. + Workspace | The workspace where the operation happens. It supports exact query and fuzzy query. + Resource Type | The type of resource associated with the request. It supports fuzzy query. + Resource Name | The name of the resource associated with the request. It supports fuzzy query. + Verb | The Kubernetes verb associated with the request. For non-resource requests, this is the lower-case HTTP method. It supports exact query. + Status Code | The Http response code. It supports exact query. + Operation Account | The user who calls this request. It supports exact and fuzzy query. + Source IP | The IP address from where the request originated and intermediate proxies. It supports fuzzy query. + Time Range | The time when the request reaches the apiserver. + +{{< notice note >}} + +- Fuzzy query supports case-insensitive fuzzy matching and retrieval of full terms by the first half of a word or phrase based on Elasticsearch segmentation rules. +- KubeSphere stores logs for the last seven days by default. You can modify the retention period in the ConfigMap `elasticsearch-logging-curator`. + +{{}} + +## Enter Query Parameters + +1. Select a filter and input the keyword you want to search. For example, query auditing logs containing the information of `user` changed as shown in the following screenshot: + + ![User Changed](/images/docs/toolbox/user-changed.png) + +2. Click any one of the results from the list, and you can see the detail of the auditing log. + + + ![Auditing Log Detail](/images/docs/toolbox/auditing-log-detail.png) \ No newline at end of file diff --git a/content/zh/docs/toolbox/auditing/auditing-receive-customize.md b/content/zh/docs/toolbox/auditing/auditing-receive-customize.md new file mode 100644 index 000000000..329f32e09 --- /dev/null +++ b/content/zh/docs/toolbox/auditing/auditing-receive-customize.md @@ -0,0 +1,181 @@ +--- +title: "Receive and Customize Auditing Logs" +keywords: "Kubernetes, KubeSphere, auditing, log, customize, receive" +description: "How to receive and customize KubeSphere and Kubernetes auditing logs." + +linkTitle: "Receive and Customize Auditing Logs" +weight: 4910 +--- + +KubeSphere Auditing Logs provide a security-relevant chronological set of records documenting the sequence of activities that have affected the system by individual users, administrators, or other components of the system. Each request to KubeSphere generates an event that is then written to a webhook and processed according to a certain rule. The event will be ignored, stored, or generate an alert based on different rules. + +## Enable KubeSphere Auditing Logs + +To enable auditing logs, see [KubeSphere Auditing Logs](../../../pluggable-components/auditing-logs/). + +## Receive Auditing Logs from KubeSphere + +KubeSphere Auditing Log system receives auditing logs only from KubeSphere by default, while it can also receive auditing logs from Kubernetes. + +Users can stop receiving auditing logs from KubeSphere by changing the value of `auditing.enable` in ConfigMap `kubesphere-config` in the namespace `kubesphere-system` using the following command: + +```bash +kubectl edit cm -n kubesphere-system kubesphere-config +``` + +Change the value of `auditing.enabled` as `false` to stop receiving auditing logs from KubeSphere. + +```yaml + spec: + auditing: + enabled: false +``` + + It should restart the KubeSphere apiserver to make the changes effective. + +## Receive Auditing Logs from Kubernetes + + To make the KubeSphere Auditing Log system receive auditing logs from Kubernetes, you need to add a Kubernetes audit policy file and Kubernetes audit webhook config file to `/etc/kubernetes/manifests/kube-apiserver.yaml` as follows. + +### Audit policy + +```yaml +apiVersion: v1 +kind: Pod +metadata: + name: kube-apiserver + namespace: kube-system +spec: + containers: + - command: + - kube-apiserver + - --audit-policy-file=/etc/kubernetes/audit/audit-policy.yaml + - --audit-webhook-config-file=/etc/kubernetes/audit/audit-webhook.yaml + volumeMounts: + - mountPath: /etc/kubernetes/audit + name: k8s-audit + readOnly: true + volumes: + - hostPath: + path: /etc/kubernetes/audit + type: DirectoryOrCreate + name: k8s-audit +``` + +{{< notice note >}} + +This operation will restart the Kubernetes apiserver. + +{{}} + +The file `audit-policy.yaml` defines rules about what events should be recorded and what data they should include. You can use a minimal audit policy file to log all requests at the Metadata level: + +```yaml +# Log all requests at the Metadata level. +apiVersion: audit.k8s.io/v1 +kind: Policy +rules: +- level: Metadata +``` + + For more information about the audit policy, see [Audit Policy](https://kubernetes.io/docs/tasks/debug-application-cluster/audit/#audit-policy). + +### Audit webhook + +The file `audit-webhook.yaml` defines the webhook which the Kubernetes auditing logs will be sent to. Here is an example configuration of the Kube-Auditing webhook. + +```yaml +apiVersion: v1 +kind: Config +clusters: +- name: kube-auditing + cluster: + server: https://{ip}:443/audit/webhook/event + insecure-skip-tls-verify: true +contexts: +- context: + cluster: kube-auditing + user: "" + name: default-context +current-context: default-context +preferences: {} +users: [] +``` + + The `ip` is the `CLUSTER-IP` of Service `kube-auditing-webhook-svc` in the namespace `kubesphere-logging-system`. You can get it using this command. + +```bash +kubectl get svc -n kubesphere-logging-system +``` + +{{< notice note >}} + +It should restart the Kubernetes apiserver to make the changes effective after you modified these two files. + +{{}} + +Edit the CRD Webhook `kube-auditing-webhook`, and change the value of `k8sAuditingEnabled` to `true` through the following commands. + +```bash +kubectl edit webhooks.auditing.kubesphere.io kube-auditing-webhook +``` + +```yaml +spec: + auditing: + k8sAuditingEnabled: true +``` +{{< notice tip >}} + +You can also use an account of `platform-admin` role to log in the console, search `Webhook` in **CRDs** on the **Cluster Management** page, and edit `kube-auditing-webhook` directly. + +{{}} + +To stop receiving auditing logs from Kubernetes, remove the configuration of auditing webhook backend, then change the value of `k8sAuditingEnabled` to `false`. + +## Customize Auditing Logs + +KubeSphere Auditing Log system provides a CRD Webhook `kube-auditing-webhook` to customize auditing logs. Here is an example yaml file: + +```yaml +apiVersion: auditing.kubesphere.io/v1alpha1 +kind: Webhook +metadata: + name: kube-auditing-webhook +spec: + auditLevel: RequestResponse + auditSinkPolicy: + alertingRuleSelector: + matchLabels: + type: alerting + archivingRuleSelector: + matchLabels: + type: persistence + image: kubesphere/kube-auditing-webhook:v0.1.0 + archivingPriority: DEBUG + alertingPriority: WARNING + replicas: 2 + receivers: + - name: alert + type: alertmanager + config: + service: + namespace: kubesphere-monitoring-system + name: alertmanager-main + port: 9093 +``` + + Parameter | Description | Default + --- | --- | --- + `replicas` | The replica number of the Kube-Auditing webhook. | 2 + `archivingPriority` | The priority of the archiving rule. The known audit types are `DEBUG`, `INFO`, and `WARNING`. | `DEBUG` + `alertingPriority` | The priority of the alerting rule. The known audit types are `DEBUG`, `INFO`, and `WARNING`. | `WARNING` + `auditLevel` | The level of auditing logs. The known levels are:
- `None`: don't log events.
- `Metadata`: log request metadata (requesting user, timestamp, resource, verb, etc.) but not requests or response bodies.
- `Request`: log event metadata and request bodies but no response body. This does not apply to non-resource requests.
- `RequestResponse`: log event metadata, requests, and response bodies. This does not apply to non-resource requests. | `Metadata` + `k8sAuditingEnabled` | Whether to receive Kubernetes auditing logs. | `false` + `receivers` | The receivers to receive alerts. | + +{{< notice note >}} + +You can change the level of Kubernetes auditing logs by modifying the file `audit-policy.yaml`, then restart the Kubernetes apiserver. + +{{}} \ No newline at end of file diff --git a/content/zh/docs/toolbox/auditing/auditing-rule.md b/content/zh/docs/toolbox/auditing/auditing-rule.md new file mode 100644 index 000000000..edff47d73 --- /dev/null +++ b/content/zh/docs/toolbox/auditing/auditing-rule.md @@ -0,0 +1,212 @@ +--- +title: "Auditing Rule" +keywords: "Kubernetes, docker, kubesphere, auditing" +description: "Kubernetes and KubeSphere operation auditing" + +linkTitle: "Auditing Rule" +weight: 4912 +--- + +An auditing rule defines the policy for processing auditing logs. KubeSphere Auditing Logs provide users with two CRD rules (`archiving-rule` and `alerting-rule`) for customization. + +After you enable [KubeSphere Auditing Logs](../../../pluggable-components/auditing-logs/), log in the console with an account of `platform-admin` role. In **CRDs** on the **Cluster Management** page, input `rules.auditing.kubesphere.io` in the search bar. Click the result **Rule** as below and you can see the two CRD rules. + +![auditing-crd](/images/docs/toolbox/auditing-crd.jpg) + +![alerting-archiving-rule](/images/docs/toolbox/alerting-archiving-rule.jpg) + +Below are examples of part of the rules. + +## archiving-rule + +```yaml +apiVersion: auditing.kubesphere.io/v1alpha1 +kind: Rule +metadata: + labels: + type: archiving + workspace: system-workspace + name: archiving-rule +spec: + rules: + - desc: all action not need to be audit + list: + - get + - list + - watch + name: ignore-action + type: list + - condition: Verb not in ${ignore-action} + desc: All audit event except get, list, watch event + enable: true + name: archiving + priority: DEBUG + type: rule +``` + +## alerting-rule + +```yaml +apiVersion: auditing.kubesphere.io/v1alpha1 +kind: Rule +metadata: + labels: + type: alerting + workspace: system-workspace + name: alerting-rule +spec: + rules: + - desc: all operator need to be audit + list: + - create + - delete + - update + - patch + name: action + type: list + - condition: Verb in ${action} + desc: audit the change of resource + enable: true + name: ResourceChange + priority: INFO + type: rule +``` + + Attributes | Description + --- | --- + `name` | The name of the rule. + `type` | The type of the rule; known values are `rule`, `macro`, `list`, and `alias`. + `desc` | The description of the rule. + `condition` | A filtering expression that is applied against auditing logs to check whether they match the rule. + `macro` | The conditions of the macro. + `list` | The value of list. + `alias` | The value of alias. + `enable` | If it is set to `false`, the rule will not be effective. + `output` | Specifies the message of alert. + `priority` | The priority of the rule. + + When an auditing log matches a rule in `archiving-rule` and the rule priority is no less than `archivingPriority`, it will be stored for further use. When an auditing log matches a rule in `alerting-rule`, if the priority of the rule is less than `alertingPriority`, it will be stored for further use; otherwise it will generate an alert which will be sent to the user. + + +## Rule Condition + +A `Condition` is a filtering expression that can use comparison operators (=, !=, <, <=, >, >=, contains, in, like, and regex) and can be combined using Boolean operators (and, or and not) and parentheses. Here are the supported filters. + + Filter | Description + --- | --- + `Workspace` | The workspace where the audit event happens. + `Devops` | The DevOps project where the audit event happens. + `Level` | The level of auditing logs. + `RequestURI` | RequestURI is the request URI as sent by the client to a server. + `Verb` | The verb associated with the request. + `User.Username` | The name that uniquely identifies this user among all active users. + `User.Groups` | The names of groups this user is a part of. + `SourceIPs` | The source IP from where the request originated and intermediate proxies. + `ObjectRef.Resource` | The resource of the object associated with the request. + `ObjectRef.Namespace` | The namespace of the object associated with the request. + `ObjectRef.Name` | The name of the object associated with the request. + `ObjectRef.Subresource` | The subresource of the object associated with the request. + `ResponseStatus.code` | The suggested HTTP return code for the request. + `ResponseStatus.Status` | The status of the operation. + `RequestReceivedTimestamp` | The time the request reaches the apiserver. + `StageTimestamp` | The time the request reaches the current audit stage. + + For example, to match all logs in the namespace `test`: + +``` +ObjectRef.Namespace = "test" +``` + + To match all logs in the namespaces that start with `test`: + +``` +ObjectRef.Namespace like "test*" +``` + + To match all logs happening in the latest one hour: + +``` +RequestReceivedTimestamp >= "2020-06-12T09:23:28.359896Z" and RequestReceivedTimestamp <= "2020-06-12T10:23:28.359896Z" +``` + +## Macro + +A `macro` is a rule condition snippet that can be re-used inside rules and even other macros. Macros provide a way to name common patterns and factor out redundancies in rules. Here is an example of a macro. + +```yaml +apiVersion: auditing.kubesphere.io/v1alpha1 +kind: Rule +metadata: + name: alerting-rule + labels: + workspace: system-workspace + type: alerting +spec: + rules: + - name: pod + type: macro + desc: pod + macro: ObjectRef.Resource="pods" +``` + +{{< notice note >}} + +A `macro` can be used in rules or other macros like ${pod} or ${alerting-rule.pod}. The difference between these two methods is that ${pod} can only be used in the CRD Rule `alerting-rule`, while ${alerting-rule.pod} can be used in all CRD Rules. This principle also applies to lists and alias. + +{{}} + +## List + +A `list` is a collection of items that can be included in rules, macros, or other lists. Unlike rules and macros, lists cannot be parsed as filtering expressions. Here is an example of a list. + +```yaml +apiVersion: auditing.kubesphere.io/v1alpha1 +kind: Rule +metadata: + name: alerting-rule + labels: + workspace: system-workspace + type: alerting +spec: + rules: + - name: action + type: list + desc: all operator needs to be audit + list: + - create + - delete + - update + - patch +``` + +## Alias + +An `alias` is a short name of a filter field. It can be included in rules, macros, lists, and output strings. Here is an example of an alias. + +```yaml +apiVersion: auditing.kubesphere.io/v1alpha1 +kind: Rule +metadata: + name: alerting-rule + labels: + workspace: system-workspace + type: alerting +spec: + rules: + - name: namespace + type: alias + desc: the alias of the resource namespace + alias: ObjectRef.Namespace +``` + +## Output + The `Output` string is used to format the alert message when an auditing log triggers an alert. The `Output` string can include lists and alias. Here is an example. + +```yaml +Output: ${user} ${verb} a HostNetwork Pod ${name} in ${namespace}. +``` +{{< notice note >}} + +The fields of `user`, `verb`, `namespace`, and `name` are all aliases. + +{{}} \ No newline at end of file diff --git a/content/zh/docs/toolbox/events-query.md b/content/zh/docs/toolbox/events-query.md new file mode 100644 index 000000000..6d53c6139 --- /dev/null +++ b/content/zh/docs/toolbox/events-query.md @@ -0,0 +1,57 @@ +--- +title: "Event Query" +keywords: 'KubeSphere, Kubernetes, Event, Query' +description: 'How to perform event query in KubeSphere.' + +linkTitle: "Event Query" +weight: 4900 +--- + +## Objective + +Kubernetes events provide insight into what is happening inside a cluster, based on which KubeSphere adds longer historical query and aggregation capabilities, and also supports event query for tenant isolation. This guide demonstrates how you will do multi-level, fine-grained event queries to track the state of your components. + +## Prerequisites + +- [KubeSphere Events](../../pluggable-components/events/) needs to be enabled. + +## Hands-on Lab + +1. The event query function is available for all users. Log in the console with any account, hover over the **Toolbox** in the lower right corner and select **Event Search**. + + ![events_query_guide](/images/docs/events/events_query_guide.png) + +2. As shown in the pop-up window, you can see the number of events that the account has permission to view. + + ![events_query_home](/images/docs/events/events_query_home.png) + + {{< notice note >}} + +- KubeSphere supports event queries on each cluster separately if you have enabled the multi-cluster feature. You can switch the target cluster using the drop-down list next to the search bar. + +- Supported fields in the search bar: + - Workspace + - Project + - Resource Type + - Resource Name + - Reason + - Message + - Category + - Time Range +- You can customize the query time range by selecting **Time Range** in the search bar. KubeSphere stores events for last seven days by default. + + {{}} + +3. Here is an example to query events in the project `test` whose **Message** contains `container` within last 1 hour as shown in the following screenshot. It returns 84 rows of results with the corresponding time, project, and message all displayed. + + ![events_query_list](/images/docs/events/events_query_list.png) + +4. Click any one of the results from the list, and you can see raw information of it. It is convenient for developers in terms of debugging and analyzing. + + ![events_query_detail](/images/docs/events/events_query_detail.png) + + {{< notice note >}} + +The event query interface supports dynamic refreshing every 5s, 10s or 15s. + + {{}} diff --git a/content/zh/docs/toolbox/history.md b/content/zh/docs/toolbox/history.md new file mode 100644 index 000000000..00449dca3 --- /dev/null +++ b/content/zh/docs/toolbox/history.md @@ -0,0 +1,14 @@ +--- +title: "History" +keywords: 'KubeSphere, Kubernetes, history' +description: 'Use browser history from toolbox' + +linkTitle: "History" +weight: 5520 +--- + +When you work in multiple workspaces or projects, your web browser will record the latest path you visited. You can check your history using F1, Win+K, or Command +K, which helps you quickly switch between the resources you access. + +![toolbox](/images/docs/toolbox/toolbox.png) + +![history](/images/docs/toolbox/history.png) diff --git a/content/zh/docs/toolbox/log-query.md b/content/zh/docs/toolbox/log-query.md new file mode 100644 index 000000000..4b997b72f --- /dev/null +++ b/content/zh/docs/toolbox/log-query.md @@ -0,0 +1,86 @@ +--- +title: "Log Query" +keywords: 'KubeSphere, Kubernetes, log' +description: 'Query Kubernetes logs from toolbox' + +linkTitle: "Log Query" +weight: 4190 +--- + +The logs of applications and systems can help you better understand what is happening inside your cluster and workloads. The logs are particularly useful for debugging problems and monitoring cluster activities. KubeSphere provides a powerful and easy-to-use logging system which offers users the capabilities of log collection, query and management from the perspective of tenants. The tenant-based logging system is much more useful than Kibana since different tenants can only view their own logs, leading to better security. Moreover, KubeSphere logging system filters out some redundant information so that tenants can only focus on logs that are useful to them. + +## Objective + +In this tutorial, you will learn how to use the log query function, including the interface, search parameters and detail pages. + +## Prerequisites + +- You need to enable [KubeSphere Logging System](../../pluggable-components/logging/). + +## Enter Log Query Interface + +1. The log query function is available for all users. Log in the console with any account, hover over the **Toolbox** in the lower right corner and select **Log Search**. + + ![log-query-guide](/images/docs/log-query/log-query-guide.png) + +2. As shown in the pop-up window, you can see a time histogram of log numbers, a cluster selection drop-down list and a log search bar. + + ![log-query-interface](/images/docs/log-query/log-query-interface.png) + + {{< notice note >}} + +- KubeSphere supports log queries on each cluster separately if you have enabled the multi-cluster feature. You can switch the target cluster using the drop-down list next to the log search bar. +- Supported fields in the log search bar: + - Keyword + - Project + - Workload + - Pod + - Container + - Time Range +- The keyword field supports the query of keyword combinations. For example, you can use "Error", "Fail", "Fatal", "Exception", and "Warning" together to query all the exception logs. +- The keyword field supports exact query and fuzzy query. The fuzzy query provides case-insensitive fuzzy matching and retrieval of full terms by the first half of a word or phrase based on the ElasticSearch segmentation rules. For example, you can retrieve the logs containing `node_cpu_total` by searching the keyword `node_cpu` instead of the keyword `cpu`. + + {{}} + +3. You can customize the query time range by selecting **Time Range** in the log search bar. Alternatively, click on the bars in the time histogram, and KubeSphere will use the time range of that bar for log queries. + + ![log-query-time-range](/images/docs/log-query/log-query-time-range.png) + + {{< notice note >}} + +- KubeSphere stores logs for last seven days by default. +- Each cluster has its own log retention period which can be set separately. You can modify it in `ClusterConfiguration`. Refer to [KubeSphere Logging System](../../pluggable-components/logging/) for more details. + + {{}} + +## Use Search Parameters + +1. You can provide as many fields as possible to narrow down your search results. Below is an example of a log query on the cluster `product` with the keyword `error` in the project `kubesphere-system` within `last 12 hours`. + + ![log-query-log-search](/images/docs/log-query/log-query-log-search.png) + +2. It returns logs of 13 rows with the corresponding time, project, pod and container information all displayed. + +3. Click any one of the results from the list. Drill into its detail page and inspect the log from this pod, including the complete context on the right. It is convenient for developers in terms of debugging and analyzing. + + {{< notice note >}} + +The log query interface supports dynamic refreshing with 5s, 10s or 15s, and allows users to export logs to a local file for further analysis (in the top-right corner). + + {{}} + + ![log-query-log-detail](/images/docs/log-query/log-query-log-detail.png) + +4. As you can see from the left panel, you can switch between pods and inspect its containers within the same project from the drop-down list. In this case, you can detect if any abnormal pods affect other pods. + + ![log-query-inspect-other-pods](/images/docs/log-query/log-query-inspect-other-pods.png) + +## Drill into Detail Page + +1. If the log looks abnormal, you can drill into the pod detail page or container detail page to further inspect container logs, resource monitoring graphs and events. + + ![log-query-drill](/images/docs/log-query/log-query-drill.png) + +2. Inspect the container detail page as follows. At the same time, it allows you to open the terminal to debug the container directly. + + ![log-query-drill-container](/images/docs/log-query/log-query-drill-container.png) \ No newline at end of file diff --git a/content/zh/docs/toolbox/web-kubectl.md b/content/zh/docs/toolbox/web-kubectl.md new file mode 100644 index 000000000..4947f92e3 --- /dev/null +++ b/content/zh/docs/toolbox/web-kubectl.md @@ -0,0 +1,51 @@ +--- +title: "Web Kubectl" +keywords: 'KubeSphere, Kubernetes, kubectl, cli' +description: 'Use kubectl from toolbox' + +linkTitle: "Web Kubectl" +weight: 5515 +--- + +The Kubernetes command-line tool, kubectl, allows you to run commands on Kubernetes clusters. You can use kubectl to deploy applications, inspect and manage cluster resources, and view logs. + +KubeSphere provides web kubectl on the console for user convenience. By default, in the current version, only the account granted the `platform-admin` role (such as the default account `admin`) has the permission to use web kubectl for cluster resource operation and management. + +## Objective + +In this tutorial, you will learn how to use web kubectl to operate on and manage cluster resources. + +## Use Web Kubectl + +1. Log in KubeSphere with an account granted the `platform-admin` role, hover over the **Toolbox** in the lower right corner and select **Kubectl**. + + ![web-kubectl-enter](/images/docs/web-kubectl/web-kubectl-enter.png) + +2. You can see the kubectl interface as shown in the pop-up window. If you have enabled the multi-cluster feature, you need to select the target cluster first from the drop-down list in the upper right corner. This drop-down list is not visible if the multi-cluster feature is not enabled. + + ![web-kubectl-cluster-select](/images/docs/web-kubectl/web-kubectl-cluster-select.png) + +3. Enter kubectl commands in the command-line tool to query and manage Kubernetes cluster resources. For example, execute the following command to query the status of all PVCs in the cluster. + + ```bash + kubectl get pvc --all-namespaces + ``` + + ![web-kubectl-example](/images/docs/web-kubectl/web-kubectl-example.png) + +4. Use the following syntax to run kubectl commands from your terminal window: + + ```bash + kubectl [command] [TYPE] [NAME] [flags] + ``` + + {{< notice note >}} + +- Where `command`, `TYPE`, `NAME`, and `flags` are: + - `command`: Specifies the operation that you want to perform on one or more resources, such as `create`, `get`, `describe` and `delete`. + - `TYPE`: Specifies the [resource type](https://kubernetes.io/docs/reference/kubectl/overview/#resource-types). Resource types are case-insensitive and you can specify the singular, plural, or abbreviated forms. + - `NAME`: Specifies the name of the resource. Names are case-sensitive. If the name is omitted, details for all resources are displayed, such as `kubectl get pods`. + - `flags`: Specifies optional flags. For example, you can use the `-s` or `--server` flags to specify the address and port of the Kubernetes API server. +- If you need help, run `kubectl help` from the terminal window or refer to the [Kubernetes kubectl CLI documentation](https://kubernetes.io/docs/reference/kubectl/overview/). + + {{}} diff --git a/content/zh/docs/workspace-administration/_index.md b/content/zh/docs/workspace-administration/_index.md index 902cba66f..13cd81a00 100644 --- a/content/zh/docs/workspace-administration/_index.md +++ b/content/zh/docs/workspace-administration/_index.md @@ -5,7 +5,7 @@ layout: "single" linkTitle: "Workspace Administration" -weight: 4200 +weight: 10000 icon: "/images/docs/docs.svg"