docs: rewrite Kubernetes page (#3928)
This commit is contained in:
parent
a04b53f4f8
commit
2133b51e78
|
@ -107,3 +107,37 @@ div.md-content article.md-content__inner a.toclink code {
|
|||
.md-nav__item--nested > .md-nav__link {
|
||||
font-weight: 700;
|
||||
}
|
||||
|
||||
/* ============================================================================================================= */
|
||||
|
||||
/*
|
||||
TaskList style for a pro/con list. Presently only used for this type of list in the kubernetes docs.
|
||||
Uses a custom icon for the unchecked (con) state: :octicons-x-circle-fill-24:
|
||||
https://github.com/squidfunk/mkdocs-material/discussions/6811#discussioncomment-8700795
|
||||
|
||||
TODO: Can better scope the style under a class name when migrating to block extension syntax:
|
||||
https://github.com/facelessuser/pymdown-extensions/discussions/1973
|
||||
*/
|
||||
|
||||
:root {
|
||||
--md-tasklist-icon--failed: url('data:image/svg+xml;charset=utf-8,<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M1 12C1 5.925 5.925 1 12 1s11 4.925 11 11-4.925 11-11 11S1 18.075 1 12Zm8.036-4.024a.751.751 0 0 0-1.042.018.751.751 0 0 0-.018 1.042L10.939 12l-2.963 2.963a.749.749 0 0 0 .326 1.275.749.749 0 0 0 .734-.215L12 13.06l2.963 2.964a.75.75 0 0 0 1.061-1.06L13.061 12l2.963-2.964a.749.749 0 0 0-.326-1.275.749.749 0 0 0-.734.215L12 10.939Z"/></svg>');
|
||||
}
|
||||
|
||||
.md-typeset [type="checkbox"] + .task-list-indicator::before {
|
||||
background-color: rgb(216, 87, 48);
|
||||
-webkit-mask-image: var(--md-tasklist-icon--failed);
|
||||
mask-image: var(--md-tasklist-icon--failed);
|
||||
}
|
||||
|
||||
/* More suitable shade of green */
|
||||
.md-typeset [type=checkbox]:checked+.task-list-indicator:before {
|
||||
background-color: rgb(97, 216, 42);
|
||||
}
|
||||
|
||||
/* Tiny layout shift */
|
||||
[dir=ltr] .md-typeset .task-list-indicator:before {
|
||||
left: -1.6em;
|
||||
top: 1px;
|
||||
}
|
||||
|
||||
/* ============================================================================================================= */
|
||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -14,6 +14,8 @@ This reduces many of the benefits for why you might use a reverse proxy, but the
|
|||
|
||||
Some deployments may require a service to route traffic (kubernetes) when deploying, in which case the below advice is important to understand well.
|
||||
|
||||
The guide here has also been adapted for [our Kubernetes docs][docs::kubernetes].
|
||||
|
||||
## What can go wrong?
|
||||
|
||||
Without a reverse proxy involved, a service is typically aware of the client IP for a connection.
|
||||
|
@ -354,9 +356,8 @@ Software on the receiving end of the connection often supports configuring an IP
|
|||
[`postscreen_access_list`][postfix-docs::settings::postscreen_access_list] (_or [`smtpd_client_restrictions`][postfix-docs::settings::smtpd_client_restrictions] with [`check_client_access`][postfix-docs::settings::check_client_access] for ports 587/465_) can both restrict access by IP via a [CIDR lookup table][postfix-docs::config-table::cidr], however the client IP is already rewritten at this point via PROXY protocol.
|
||||
|
||||
Thus those settings cannot be used for restricting access to only trusted proxies, only to the actual clients.
|
||||
|
||||
A similar setting [`mynetworks`][postfix-docs::settings::mynetworks] / [`PERMIT_DOCKER`][docs::env::permit_docker] manages elevated trust for bypassing security restrictions. While it is intended for trusted clients, it has no relevance to trusting proxies for the same reasons.
|
||||
|
||||
A similar setting [`mynetworks`][postfix-docs::settings::mynetworks] / [`PERMIT_DOCKER`][docs::env::permit_docker] manages elevated trust for bypassing security restrictions. While it is intended for trusted clients, it has no relevance to trusting proxies for the same reasons.
|
||||
|
||||
### Monitoring
|
||||
|
||||
|
@ -373,6 +374,8 @@ While PROXY protocol works well with the reverse proxy, you may have some contai
|
|||
|
||||
You should adjust configuration of these monitoring services to monitor for auth failures from those services directly instead, adding an exclusion for that service IP from any DMS logs monitored (_but be mindful of PROXY header forgery risks_).
|
||||
|
||||
[docs::kubernetes]: ../../config/advanced/kubernetes.md#using-the-proxy-protocol
|
||||
|
||||
[docs::overrides::dovecot]: ../../config/advanced/override-defaults/dovecot.md
|
||||
[docs::overrides::postfix]: ../../config/advanced/override-defaults/postfix.md
|
||||
[docs::overrides::user-patches]: ../../config/advanced/override-defaults/user-patches.md
|
||||
|
|
|
@ -82,6 +82,11 @@ markdown_extensions:
|
|||
format: !!python/name:pymdownx.superfences.fence_code_format
|
||||
- pymdownx.tabbed:
|
||||
alternate_style: true
|
||||
slugify: !!python/object/apply:pymdownx.slugs.slugify
|
||||
kwds:
|
||||
case: lower
|
||||
- pymdownx.tasklist:
|
||||
custom_checkbox: true
|
||||
- pymdownx.magiclink
|
||||
- pymdownx.inlinehilite
|
||||
- pymdownx.tilde
|
||||
|
|
Loading…
Reference in New Issue