https://rancher.com/ logo
Join the conversationJoin Slack
Channels
academy
amazon
arm
azure
cabpr
chinese
ci-cd
danish
deutsch
developer
elemental
epinio
espanol
events
extensions
fleet
français
gcp
general
harvester
harvester-dev
hobbyfarm
hypper
japanese
k3d
k3os
k3s
k3s-contributor
kim
kubernetes
kubewarden
lima
logging
longhorn-dev
longhorn-storage
masterclass
mesos
mexico
nederlands
neuvector-security
office-hours
one-point-x
onlinemeetup
onlinetraining
opni
os
ozt
phillydotnet
portugues
rancher-desktop
rancher-extensions
rancher-setup
rancher-wrangler
random
rfed_ara
rio
rke
rke2
russian
s3gw
service-mesh
storage
submariner
supermicro-sixsq
swarm
terraform-controller
terraform-provider-rancher2
terraform-provider-rke
theranchcast
training-0110
training-0124
training-0131
training-0207
training-0214
training-1220
ukranian
v16-v21-migration
vsphere
windows
Powered by Linen
general
  • h

    high-winter-92040

    10/03/2022, 8:59 AM
    Rancher advisory. Github link below. Posted 10 days ago. Please make sure you've updated and patched.
    <https://portswigger.net/daily-swig/rancher-stored-sensitive-values-in-plaintext-exposed-kubernetes-clusters-to-takeover>
    With minimal access privs, one can obtain the cluster token in Rancher versions up to and including 2.5.15 and 2.6.6
    An issue was discovered in Rancher versions up to and including 2.5.15 and 2.6.6 where sensitive fields, like passwords, API keys and Rancher's service account token (used to provision clusters), were stored in plaintext directly on Kubernetes objects like Clusters, for example cluster.management.cattle.io. Anyone with read access to those objects in the Kubernetes API could retrieve the plaintext version of those sensitive data.
    The exposed credentials are visible in Rancher to authenticated Cluster Owners, Cluster Members, Project Owners, Project Members and User Base on the endpoints:
    <https://github.com/advisories/GHSA-g7j7-h4q8-8w2f>
  • n

    numerous-coat-84186

    10/03/2022, 11:17 AM
    hello, is it possible to update the cluster-cidr and/or service-cidr of a running cluster? i couldn't find anything definitive in the docs
    q
    • 2
    • 3
  • s

    sparse-fireman-14239

    10/03/2022, 11:18 AM
    I’ve gone through the documentation for RKE2, Googled and still haven’t found a way to gracefully shutdown an RKE2 node. systemctl stop rke2-server (or agent) doesn’t seem to work, regardless of which version I’ve tried (1.22.x & 1.23.x)
    q
    • 2
    • 2
  • a

    ambitious-soccer-12568

    10/03/2022, 12:53 PM
    Has anyone encountered such a problem for google oauth login?
    [Google OAuth] testAndApply: server error while authenticating: invalid hostname provided
  • i

    icy-secretary-33916

    10/03/2022, 2:49 PM
    hii everyone. i am new to rancher . Is there any way i can build a CI /CD pipeline using gitlab ?
  • v

    victorious-river-3598

    10/03/2022, 4:33 PM
    Here is the rancher agent pod logs:
    CATTLE_INTERNAL_ADDRESS= CATTLE_IS_RKE=false CATTLE_K8S_MANAGED=true CATTLE_NODE_NAME=cattle-cluster-agent-86d667c95f-ltqp9 CATTLE_SERVER=<https://35.225.85.114> CATTLE_SERVER_VERSION=v2.6.8
    INFO: Using resolv.conf: search cattle-system.svc.cluster.local svc.cluster.local cluster.local c.rene-v-sandbox.internal google.internal nameserver 10.0.0.10 options ndots:5
    ERROR: <https://35.225.85.114/ping> is not accessible (Failed to connect to 35.225.85.114 port 443: Connection timed out)
    q
    • 2
    • 1
  • v

    victorious-river-3598

    10/03/2022, 4:53 PM
    Actually not a dumb question and that's actually what I'm in the process of doing currently. I had forgotten that it is a private cluster
  • v

    victorious-river-3598

    10/03/2022, 4:53 PM
    Thanks
    👍 1
  • a

    ancient-air-32350

    10/03/2022, 8:28 PM
    hi! is there somewhere an guide on how to create an oracle linux template in vpshere to be used with rancher ? but it looks like cloud-init is not installed per default, therefore my cluster is not coming up. and the .ova image from here cannot be imported to vsphere because of some .xml issues https://yum.oracle.com/oracle-linux-templates.html
    q
    • 2
    • 2
  • c

    cuddly-appointment-26831

    10/04/2022, 5:27 AM
    Hey Everyone, I have a doubt... So I have my ingress ( when seen from kubectl ) in networking.k8s.io/v1 but from the rancher ui when I see the ingress yaml, I see the apiVersioin as extensions/v1beta1. Idk what is the reason here. Thank you in advance for help !!!
    m
    • 2
    • 1
  • a

    abundant-ghost-97733

    10/04/2022, 11:34 AM
    Hi All. Does Rancher Desktop support Windows images?
    w
    • 2
    • 1
  • g

    glamorous-guitar-96571

    10/04/2022, 1:07 PM
    Is there actually a bigger issue/reason for Calico not supported by rancher/rke (at least that is written like that in the documentation) for bare metal nodes but only for aws and gce? Actually it seems that some people already use Calico with Bare metal as network plugin with RKE v1.3.14 and for them it works just fine.
  • p

    polite-waitress-19288

    10/04/2022, 1:37 PM
    👋 Hi everyone! I have an issue. I'm trying connect rke2 on VMWare vcloud director to racher implemented alsow on VMWare vcloud director in same virtual data center.
    l
    • 2
    • 2
  • c

    cuddly-chef-59548

    10/04/2022, 5:19 PM
    I asked this a week or so back, but didnt get a response: In rancher, when i'm using harvester node pools is there anyway to add extra external nodes outside of the node pools?
    l
    • 2
    • 7
  • a

    able-window-95223

    10/05/2022, 1:15 AM
    Hello here, does anybody know if the kube-apiserver server certificate should be automatically rotated in rancher? If so, any thoughts on what could cause it to not rotate? I have cluster run on a rancher console 2.5.8 and woke this morning to an error like this:
    x509: certificate has expired or is not yet valid
    . I was able to rotate the cert through UI, but I wonder what could have caused it to not rotate. This is a cluster provisioned through terraform.
    l
    • 2
    • 2
  • a

    able-window-95223

    10/05/2022, 1:26 AM
    Shouldn't the certs be rotated automatically? Any idea what could cause it to not rotate?
    m
    • 2
    • 1
  • c

    creamy-pencil-82913

    10/05/2022, 8:59 AM
    we don’t support heterogenous clusters (nodes running different Kubernetes distros). Rancher and possibly k3s as well are going to be fairly confused about that and probably won’t do the right thing with it.
    a
    • 2
    • 1
  • c

    clever-mechanic-71254

    10/05/2022, 12:34 PM
    i'm searching for a feature comparison chart using the different options of creating clusters (registered, custom, infrastructure provider) does anyone know where I can find that?
  • b

    blue-florist-78333

    10/05/2022, 12:39 PM
    Hi Guys, We have deployed multiple clusters with Rancher on RKE2. We need to access the downstream cluster directly so we are looking to use authorised cluster endpoint for that but dont seem to find much information around it. Anyone here would be able to help?
  • e

    echoing-country-69231

    10/05/2022, 1:34 PM
    I wanted to apply node affinity while deploying the rancher server chart using helm, but there is no option in chart itself for applying affinity. Can someone tell me that how can I achieve this workaround. My cluster is running on EKS.
  • b

    billions-vase-14972

    10/05/2022, 3:26 PM
    You will need to select a project rather than a namespace, as you have All Namespaces selected nothing will show
  • a

    acceptable-judge-34451

    10/05/2022, 5:14 PM
    👋 Hi everyone!
  • a

    acceptable-judge-34451

    10/05/2022, 5:14 PM
    Does anyone have the sales contact? I am looking for support for my organization. I used the website but I still have no response.
    a
    • 2
    • 1
  • q

    quiet-area-89381

    10/05/2022, 6:46 PM
    HI all. I installed rancher using helm, first with its own generated certificate. I uninstalled and configured everything with a certificate call
    tls-rancher-ingress
    in the
    cattle-system
    namespace, issued by let's encrypt. But somehow the ingress still serves the old generated certificate. I checked that the ingress was gone after i uninstalled rancher. How can I make sure the right certificate is picked up?
    • 1
    • 2
  • p

    powerful-farmer-23811

    10/05/2022, 8:53 PM
    hey everyone, I was wondering if someone could guide to to fix this following issue, when I go to upgrade rancher from 2.5.8 to 2.6.8, I get the following issue. any ideas? I originally install rancher via Helm 2 and now used the 2to3 plugin. This error is using helm 3 helm upgrade rancher rancher-stable/rancher --namespace cattle-system --set hostname=rancher.test.lan --set ingress.tls.source=secret Error: UPGRADE FAILED: rendered manifests contain a resource that already exists. Unable to continue with update: Ingress "rancher" in namespace "cattle-system" exists and cannot be imported into the current release: invalid ownership metadata; label validation error: missing key "app.kubernetes.io/managed-by": must be set to "Helm"; annotation validation error: missing key "meta.helm.sh/release-name": must be set to "rancher"; annotation validation error: missing key "meta.helm.sh/release-namespace": must be set to "cattle-system"
  • i

    icy-secretary-33916

    10/05/2022, 9:27 PM
    Warning FailedCreatePodSandBox 3m52s (x446 over 101m) kubelet (combined from similar events): Failed to create pod sandbox: rpc error: code = Unknown desc = failed to setup network for sandbox "7ef081bf23ea0b25b8e104402b471015b86426bcb6417cb6b49e60f594526f2e": plugin type="calico" failed (add): error getting ClusterInformation: connection is unauthorized: Unauthorized
  • i

    icy-secretary-33916

    10/05/2022, 9:30 PM
    hey everyone, my rancher server is running healthy but somehow each pods that i create are stuck in container creating . i can not create any running pods anymore
  • i

    icy-secretary-33916

    10/05/2022, 9:30 PM
    Any idea what the issue could be?
  • q

    quiet-area-89381

    10/05/2022, 10:20 PM
    Following the documentation to setup SSO using Google on rancher, we get this error when clicking "enable"
    [Google OAuth] testAndApply: server error while authenticating: Get "<https://admin.googleapis.com/admin/directory/v1/groups?alt=json&domain=microbyre.com&prettyPrint=false&userKey=104963972947843610189>": oauth2: cannot fetch token: 401 Unauthorized
    Response: {
    "error": "unauthorized_client",
    "error_description": "Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested."
    }
    We verified the SA has the permissions and the delegation on the workspace side too.
    • 1
    • 3
  • q

    quiet-chef-27276

    10/06/2022, 1:54 AM
    Hi all, I'm wondering if anyone has looked at k3s onboard a satellite? I've heard of some projects, but looking for real-world use-cases and advice! Or tell me it's a totally crazy idea 😄
    c
    l
    a
    • 4
    • 8
Powered by Linen
Title
q

quiet-chef-27276

10/06/2022, 1:54 AM
Hi all, I'm wondering if anyone has looked at k3s onboard a satellite? I've heard of some projects, but looking for real-world use-cases and advice! Or tell me it's a totally crazy idea 😄
c

creamy-pencil-82913

10/06/2022, 2:57 AM
Let us know if you do it! I've heard of it being used in airplanes...
l

limited-pizza-33551

10/06/2022, 10:40 AM
This was something I got off a quick google search. I also heard of this during a conference - https://links.imagerelay.com/cdn/3404/ql/7c5636da933a41358355e798dac72c1a/hypergiant-putting-managed-compute-power-in-space-with-k3s-ss.pdf
a

agreeable-oil-87482

10/06/2022, 11:10 AM
Beat me to it @limited-pizza-33551 😄
https://www.suse.com/success/hypergiant/
q

quiet-chef-27276

10/06/2022, 11:12 AM
I came across that one too - makes me slightly more confident, but keen to hear of others experiences and what tools/services might be good to work alongside k3s.
For example: how to manage software updates and failsafe (revert to last known or factory settings, etc)
l

limited-pizza-33551

10/06/2022, 11:18 AM
I do know it is used in submarines as well: https://calhoun.nps.edu/handle/10945/68688 & this paper had a deep dive on the implementation specifics
AFAIK the specific use case being air-gapped required the creation of a customized tool - ZARF.
View count: 1