How can we set

ulimit memlock=-1:-1

in RKE2 k8s containers?

Hello, I'm having an issue where pods can not talk to each other inside the same (custom) namespace. This occurs with CIS enabled or disabled, so I don't think its network policy related. Also I can deploy the same pods to kube-system and they work fine. Am I missing something like a label or annotation that is required for namespaces? Using version v1.24.8+rke2r1

How can modify my root folder from the jenkins users, all the sudoers permissions are set, but rke pod is not allowing to write anything to the root directory

Hi all, Is there any rke2 terraform provider or other similar solutions for installation automation ?

Hi, I want to deploy RKE2 on Centos7 & RHEL7 VMs but not sure if RKE2 is supported on those platforms. Please help me with the Air-Gap installation steps if RKE2 is supported. Thanks,

Hi everyone! Quick question, I accidentally started

rke2-server

service on an

rke2-agent

service node. It converted the node in the cluster to a control-plane node, which it shouldn't be. I removed the node (

kubectl delete node

), rebooted it and started rke2-agent again, which added it. As good as everything is fine now, but control-plane pods are still started on the node... I tried deleting the pods , but they always come back:

cloud-controller-manager-agent-001        0/1     Error       2              9m17s
etcd-agent-001                            0/1     Completed   14             5m10s
kube-apiserver-agent-001                  0/1     Error       19             5m10s
kube-controller-manager-agent-001         1/1     Running     2 (34m ago)    3m7s
kube-scheduler-agent-001                  1/1     Running     2 (34m ago)    3m6s

I thought etcd might be the problem, so I tried to annotate

kubectl annotate node agent-001 <http://etcd.k3s.cattle.io/remove=true|etcd.k3s.cattle.io/remove=true>

, but this did not work. How do I proceed?

tldr; converted agent node to server node, want to convert it back.

I'm struggling with my ingress being resynced constantly due to argocd-rollout (https://github.com/argoproj/argo-rollouts/issues/1070) i'm curious as i'm not sure yet why rancher is updating the ingress resource with the mentioned annotation?

<http://field.cattle.io/publicEndpoints|field.cattle.io/publicEndpoints>

what is it used for and how can i control it?

Good afternoon good people! My team has a vault cluster running on rke2 1.20 but the latest upgrade for vault requires it to run on 1.21+. Since this is a pretty important cluster with stateful sets and all our vault secrets we weren't 100% sure if we could simply upgrade both the rke2 master and agent by joining a new server to the cluster and make the leader election and call it a day or there is a more preferred way to do this. Any thoughts? My team can provide me with more details as needed if you have follow up questions (and if there is a better channel to ask this, please let me know)

Hey Folks,

I'm not sure what's going on here... or how to troubleshoot this... but rke2-agent just restarts constantly over and over.

Any ideas?

And.... nevermind. I sorted this on my own. I was being daft. Thanks.

Hello guys, hope you are all doing well! Recently, I faced an issue with RKE2 + containerd + SELinux enabled, in short, the ctime of files in PV changed every time when a pod is started, any idea on how to debug and fix this? BTW, previously I thought I figure it out, but seems it's not working as expected, you can see this discussions: https://github.com/containerd/containerd/discussions/7178 Thanks

Hi, I'm using rke2 1.25.4+rke2r1 both for server and agent nodes. Worker(Agent) Nodes: I found that some agent nodes having hard time with connection to master node. Logs are from journalctl of rke2-agent

Dec 30 16:41:53 worker1 rke2[2343799]: time="2022-12-30T16:41:53+09:00" level=error msg="Remotedialer proxy error" error="connect not allowed"
Dec 30 16:41:58 worker1 rke2[2343799]: time="2022-12-30T16:41:58+09:00" level=info msg="Connecting to proxy" url="<wss://master-ip:9345/v1-rke2/connect>"

Server Node:

rke2-server

service show logs below

Dec 30 07:41:53 server rke2[1379172]: time="2022-12-30T07:41:53Z" level=warning msg="Proxy error: read failed: tunnel disconnect"
Dec 30 07:41:58 server rke2[1379172]: time="2022-12-30T07:41:58Z" level=info msg="Handling backend connection request [lambda-server-cpu-2]"
Dec 30 07:42:04 server rke2[1379172]: time="2022-12-30T07:42:04Z" level=info msg="error in remotedialer server [400]: websocket: close 1006 (abnormal closure): unexpected EOF

Could you suggest where should I start to debug this?

i just upgraded from the latest 1.24 releast to 1.25.5 and it seems like calico is not able to come up

I have an issue, getting the CIS benchmark to pass, specifically "5.1.5 Ensure that default service accounts are not actively used. (Automated)". Running the profile rke2-cis-1.6-profile-hardened on a v1.24.9+rke2r1 cluster. Below query does not return any results so should be fine but the test keeps failing.

kubectl get serviceaccounts --all-namespaces -o json | jq -r '.items[] | select(.metadata.name=="default") | select((.automountServiceAccountToken == null) or (.automountServiceAccountToken == true))' | jq .metadata.namespace

Any ideas?

I followed the quickstart from the docs on 2 Ubuntu 22.04 Server VMs. After joining the worker node I checked node status and the master says that the CNI plugin was not initialized. I've tried searching the chat here, but no results in the last 30 days. Anyone have some insight or a place I should begin looking?

Another question. The quick start has you download and run the install script (which also downloads the rke2 binary) but then tells you to start the

rke2-{server|agent}.service

. But in the Installation Methods doc and all over in the other docs, it says to run the

rke2

binary with either a config file or config flags and makes no mention of starting or enabling services. What is the recommended installation method?

Hi, I am trying to install rke2 on linode (unmanaged) with rancher 2.7. For linode, as far as I can see, I would still have to install the ccm and set the cloud provider to external. I just can't find a good doc on how to install the ccm. As soon as I set the cloud provider to external, the node can no longer join. All the instructions I have found refer to rke1 and there the config options look a bit different. The existing documentation for rke2 is relatively thin and I don't know where to set which options in the cluster configuration. I tried the following (using additinalManifest):

apiVersion: <http://provisioning.cattle.io/v1|provisioning.cattle.io/v1>
kind: Cluster
metadata:
  name: test
  annotations:
    {}
  labels:
    {}
  namespace: fleet-default
spec:
  cloudCredentialSecretName: cattle-global-data:cc-ddncq
  defaultPodSecurityPolicyTemplateName: ''
  kubernetesVersion: v1.24.8+rke2r1
  localClusterAuthEndpoint:
    caCerts: ''
    enabled: false
    fqdn: ''
  rkeConfig:
    additionalManifest: |+
      apiVersion: v1
      kind: Secret
      metadata:
        name: ccm-linode
        namespace: kube-system
      type: Opaque
      data:
        apiToken: xxxx
        region: xxxx
      ---
      apiVersion: v1
      kind: ServiceAccount
      metadata:
        name: ccm-linode
        namespace: kube-system
      ---
      apiVersion: <http://rbac.authorization.k8s.io/v1|rbac.authorization.k8s.io/v1>
      kind: ClusterRole
      metadata:
        name: ccm-linode-clusterrole
      rules:
      - apiGroups: [""]
        resources: ["endpoints"]
        verbs: ["get", "watch", "list", "update", "create"]
      - apiGroups: [""]
        resources: ["nodes"]
        verbs: ["get", "watch", "list", "update", "delete", "patch"]
      - apiGroups: [""]
        resources: ["nodes/status"]
        verbs: ["get", "watch", "list", "update", "delete", "patch"]
      - apiGroups: [""]
        resources: ["events"]
        verbs: ["get", "watch", "list", "update", "create", "patch"]
      - apiGroups: [""]
        resources: ["persistentvolumes"]
        verbs: ["get", "watch", "list", "update"]
      - apiGroups: [""]
        resources: ["secrets"]
        verbs: ["get"]
      - apiGroups: [""]
        resources: ["services"]
        verbs: ["get", "watch", "list"]
      - apiGroups: [""]
        resources: ["services/status"]
        verbs: ["get", "watch", "list", "update", "patch"]
      ---
      kind: ClusterRoleBinding
      apiVersion: <http://rbac.authorization.k8s.io/v1|rbac.authorization.k8s.io/v1>
      metadata:
        name: ccm-linode-clusterrolebinding
      roleRef:
        apiGroup: <http://rbac.authorization.k8s.io|rbac.authorization.k8s.io>
        kind: ClusterRole
        name: ccm-linode-clusterrole
      subjects:
      - kind: ServiceAccount
        name: ccm-linode
        namespace: kube-system
      ---
      apiVersion: apps/v1
      kind: DaemonSet
      metadata:
        name: ccm-linode
        labels:
          app: ccm-linode
        namespace: kube-system
      spec:
        selector:
          matchLabels:
            app: ccm-linode
        template:
          metadata:
            labels:
              app: ccm-linode
          spec:
            serviceAccountName: ccm-linode
            nodeSelector:
              # The CCM will only run on a Node labelled as a master, you may want to change this
              <http://node-role.kubernetes.io/master|node-role.kubernetes.io/master>: ""
            tolerations:
              # The CCM can run on Nodes tainted as masters
              - key: "<http://node-role.kubernetes.io/master|node-role.kubernetes.io/master>"
                effect: "NoSchedule"
              # The CCM is a "critical addon"
              - key: "CriticalAddonsOnly"
                operator: "Exists"
              # This taint is set on all Nodes when an external CCM is used
              - key: <http://node.cloudprovider.kubernetes.io/uninitialized|node.cloudprovider.kubernetes.io/uninitialized>
                value: "true"
                effect: NoSchedule
              - key: <http://node.kubernetes.io/not-ready|node.kubernetes.io/not-ready>
                operator: Exists
                effect: NoSchedule
              - key: <http://node.kubernetes.io/unreachable|node.kubernetes.io/unreachable>
                operator: Exists
                effect: NoSchedule
            hostNetwork: true
            containers:
              - image: linode/linode-cloud-controller-manager:latest
                imagePullPolicy: Always
                name: ccm-linode
                args:
                - --leader-elect-resource-lock=endpoints
                - --v=3
                - --port=0
                - --secure-port=10253
                volumeMounts:
                - mountPath: /etc/kubernetes
                  name: k8s
                env:
                  - name: LINODE_API_TOKEN
                    valueFrom:
                      secretKeyRef:
                        name: ccm-linode
                        key: apiToken
                  - name: LINODE_REGION
                    valueFrom:
                      secretKeyRef:
                        name: ccm-linode
                        key: region
            volumes:
            - name: k8s
              hostPath:
                path: /etc/kubernetes
    chartValues:
      rke2-calico: {}
    etcd:
      disableSnapshots: false
      s3:
      snapshotRetention: 5
      snapshotScheduleCron: 0 */5 * * *
    machineGlobalConfig:
      cni: calico
      disable-kube-proxy: false
      etcd-expose-metrics: false
      profile: null
    machinePools:
      - name: pool1
        etcdRole: true
        controlPlaneRole: true
        workerRole: true
        hostnamePrefix: ''
        quantity: 1
        unhealthyNodeTimeout: 0m
        machineConfigRef:
          kind: LinodeConfig
          name: nc-test-pool1-gzwhp
        labels: {}

    machineSelectorConfig:
      - config:
          cloud-provider-name: external
          protect-kernel-defaults: false
    registries:
      configs:
        {}
      mirrors:
        {}
    upgradeStrategy:
      controlPlaneConcurrency: '1'
      controlPlaneDrainOptions:
        deleteEmptyDirData: true
        disableEviction: false
        enabled: false
        force: false
        gracePeriod: -1
        ignoreDaemonSets: true
        skipWaitForDeleteTimeoutSeconds: 0
        timeout: 120
      workerConcurrency: '1'
      workerDrainOptions:
        deleteEmptyDirData: true
        disableEviction: false
        enabled: false
        force: false
        gracePeriod: -1
        ignoreDaemonSets: true
        skipWaitForDeleteTimeoutSeconds: 0
        timeout: 120
  machineSelectorConfig:
    - config: {}
__clone: true

What the exact error is, I can not currently determine, because I get no access to the cluster via the rancher ui yet.

Hey, I have a small problem provision a rke2 cluster with docker machine driver (hetzner).

Hello! I am attempting to remove SSH from

felixConfiguration.failsafeInboundHostPorts

so we can protect it with policies. I opened an issue here but wanted to know if I am overlooking something.

Hi, in rke2 are secrets encrypted at rest by default?

trying to upgrade from 1.24 to 1.25 and my first node is failing on the profile being set to cis-1.6, what value should the profile flag be set to in order to perform the upgrade?

Hi we have built an rke2 v1.22.11+rke2r1 cluster on vsphere via the rancher UI, cloud provider was set at none. When we try to install the vsphere cpi via the apps->chart the rancher-vsphere-cpi-cloud-controller-manager pod throws an error that port 10258 is already in use. Any idea how to get past this issue?

Provider: *RKE2*

Kubernetes Version: *v1.24.7*

check the details for error info?

Hi Everyone, I need some help parse the release metadata for rke2 releases. Is this release information (specifically, supported k8s version, system images etc.) available in some JSON format ? (https://github.com/rancher/rke2/releases/tag/v1.26.0%2Brke2r1

Hello! I'm new to rancher. I'm wondering if rke2 is able to be used as a rootless user? I know k3s can in an experimental way, but was wondering if this can also be done for rke2.

is there a way to switch cluster network to Calico from Canal? I read somewhere we can only decide during the cluster set up.