Rancher advisory. Github link below. Posted 10 days ago. Please make sure you've updated and patched.

<https://portswigger.net/daily-swig/rancher-stored-sensitive-values-in-plaintext-exposed-kubernetes-clusters-to-takeover>

With minimal access privs, one can obtain the cluster token in Rancher versions up to and including 2.5.15 and 2.6.6

An issue was discovered in Rancher versions up to and including 2.5.15 and 2.6.6 where sensitive fields, like passwords, API keys and Rancher's service account token (used to provision clusters), were stored in plaintext directly on Kubernetes objects like Clusters, for example cluster.management.cattle.io. Anyone with read access to those objects in the Kubernetes API could retrieve the plaintext version of those sensitive data.

The exposed credentials are visible in Rancher to authenticated Cluster Owners, Cluster Members, Project Owners, Project Members and User Base on the endpoints:

<https://github.com/advisories/GHSA-g7j7-h4q8-8w2f>

hello, is it possible to update the cluster-cidr and/or service-cidr of a running cluster? i couldn't find anything definitive in the docs

I’ve gone through the documentation for RKE2, Googled and still haven’t found a way to gracefully shutdown an RKE2 node. systemctl stop rke2-server (or agent) doesn’t seem to work, regardless of which version I’ve tried (1.22.x & 1.23.x)

Has anyone encountered such a problem for google oauth login?

[Google OAuth] testAndApply: server error while authenticating: invalid hostname provided

hii everyone. i am new to rancher . Is there any way i can build a CI /CD pipeline using gitlab ?

Here is the rancher agent pod logs:

CATTLE_INTERNAL_ADDRESS= CATTLE_IS_RKE=false CATTLE_K8S_MANAGED=true CATTLE_NODE_NAME=cattle-cluster-agent-86d667c95f-ltqp9 CATTLE_SERVER=<https://35.225.85.114> CATTLE_SERVER_VERSION=v2.6.8
INFO: Using resolv.conf: search cattle-system.svc.cluster.local svc.cluster.local cluster.local c.rene-v-sandbox.internal google.internal nameserver 10.0.0.10 options ndots:5
ERROR: <https://35.225.85.114/ping> is not accessible (Failed to connect to 35.225.85.114 port 443: Connection timed out)

Actually not a dumb question and that's actually what I'm in the process of doing currently. I had forgotten that it is a private cluster

Thanks

hi! is there somewhere an guide on how to create an oracle linux template in vpshere to be used with rancher ? but it looks like cloud-init is not installed per default, therefore my cluster is not coming up. and the .ova image from here cannot be imported to vsphere because of some .xml issues https://yum.oracle.com/oracle-linux-templates.html

Hey Everyone, I have a doubt... So I have my ingress ( when seen from kubectl ) in networking.k8s.io/v1 but from the rancher ui when I see the ingress yaml, I see the apiVersioin as extensions/v1beta1. Idk what is the reason here. Thank you in advance for help !!!

Hi All. Does Rancher Desktop support Windows images?

Is there actually a bigger issue/reason for Calico not supported by rancher/rke (at least that is written like that in the documentation) for bare metal nodes but only for aws and gce? Actually it seems that some people already use Calico with Bare metal as network plugin with RKE v1.3.14 and for them it works just fine.

👋 Hi everyone! I have an issue. I'm trying connect rke2 on VMWare vcloud director to racher implemented alsow on VMWare vcloud director in same virtual data center.

I asked this a week or so back, but didnt get a response: In rancher, when i'm using harvester node pools is there anyway to add extra external nodes outside of the node pools?

Hello here, does anybody know if the kube-apiserver server certificate should be automatically rotated in rancher? If so, any thoughts on what could cause it to not rotate? I have cluster run on a rancher console 2.5.8 and woke this morning to an error like this:

x509: certificate has expired or is not yet valid

. I was able to rotate the cert through UI, but I wonder what could have caused it to not rotate. This is a cluster provisioned through terraform.

Shouldn't the certs be rotated automatically? Any idea what could cause it to not rotate?

we don’t support heterogenous clusters (nodes running different Kubernetes distros). Rancher and possibly k3s as well are going to be fairly confused about that and probably won’t do the right thing with it.

i'm searching for a feature comparison chart using the different options of creating clusters (registered, custom, infrastructure provider) does anyone know where I can find that?

Hi Guys, We have deployed multiple clusters with Rancher on RKE2. We need to access the downstream cluster directly so we are looking to use authorised cluster endpoint for that but dont seem to find much information around it. Anyone here would be able to help?

I wanted to apply node affinity while deploying the rancher server chart using helm, but there is no option in chart itself for applying affinity. Can someone tell me that how can I achieve this workaround. My cluster is running on EKS.

You will need to select a project rather than a namespace, as you have All Namespaces selected nothing will show

👋 Hi everyone!

Does anyone have the sales contact? I am looking for support for my organization. I used the website but I still have no response.

HI all. I installed rancher using helm, first with its own generated certificate. I uninstalled and configured everything with a certificate call

tls-rancher-ingress

in the

cattle-system

namespace, issued by let's encrypt. But somehow the ingress still serves the old generated certificate. I checked that the ingress was gone after i uninstalled rancher. How can I make sure the right certificate is picked up?

hey everyone, I was wondering if someone could guide to to fix this following issue, when I go to upgrade rancher from 2.5.8 to 2.6.8, I get the following issue. any ideas? I originally install rancher via Helm 2 and now used the 2to3 plugin. This error is using helm 3 helm upgrade rancher rancher-stable/rancher --namespace cattle-system --set hostname=rancher.test.lan --set ingress.tls.source=secret Error: UPGRADE FAILED: rendered manifests contain a resource that already exists. Unable to continue with update: Ingress "rancher" in namespace "cattle-system" exists and cannot be imported into the current release: invalid ownership metadata; label validation error: missing key "app.kubernetes.io/managed-by": must be set to "Helm"; annotation validation error: missing key "meta.helm.sh/release-name": must be set to "rancher"; annotation validation error: missing key "meta.helm.sh/release-namespace": must be set to "cattle-system"

Warning FailedCreatePodSandBox 3m52s (x446 over 101m) kubelet (combined from similar events): Failed to create pod sandbox: rpc error: code = Unknown desc = failed to setup network for sandbox "7ef081bf23ea0b25b8e104402b471015b86426bcb6417cb6b49e60f594526f2e": plugin type="calico" failed (add): error getting ClusterInformation: connection is unauthorized: Unauthorized

hey everyone, my rancher server is running healthy but somehow each pods that i create are stuck in container creating . i can not create any running pods anymore

Any idea what the issue could be?

Following the documentation to setup SSO using Google on rancher, we get this error when clicking "enable"

[Google OAuth] testAndApply: server error while authenticating: Get "<https://admin.googleapis.com/admin/directory/v1/groups?alt=json&domain=microbyre.com&prettyPrint=false&userKey=104963972947843610189>": oauth2: cannot fetch token: 401 Unauthorized
Response: {
"error": "unauthorized_client",
"error_description": "Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested."
}

We verified the SA has the permissions and the delegation on the workspace side too.