ripe-queen-73614
07/28/2022, 8:54 AMripe-queen-73614
07/28/2022, 8:55 AMrefined-area-45178
07/28/2022, 9:01 AMbillions-kite-9416
07/28/2022, 10:56 AMfeature gate
on my api server. After editing the config.yaml
file and restarting the rke2-server
process the api server never comes back up and there are 500 Internal Server Errors
from kube-proxy in the logs. Does anyone have any idea how to go about this?eager-refrigerator-66976
07/28/2022, 12:46 PMglobal-unrestricted-psp-rolebinding
provisioned by default
apiVersion: <http://rbac.authorization.k8s.io/v1|rbac.authorization.k8s.io/v1>
kind: ClusterRoleBinding
metadata:
creationTimestamp: "2022-07-20T11:45:40Z"
name: global-unrestricted-psp-rolebinding
resourceVersion: "229"
uid: 8dca97e8-3cf9-4eeb-a8c8-2b84efb70e55
roleRef:
apiGroup: <http://rbac.authorization.k8s.io|rbac.authorization.k8s.io>
kind: ClusterRole
name: global-unrestricted-psp-clusterrole
subjects:
- apiGroup: <http://rbac.authorization.k8s.io|rbac.authorization.k8s.io>
kind: Group
name: system:authenticated
that gives unrestricted access to anything authenticated…bored-rain-98291
07/28/2022, 3:03 PMbored-rain-98291
07/28/2022, 3:45 PMaloof-church-32790
07/28/2022, 6:05 PMcloud-provider-name: external
disable-cloud-controller: true
Shouldn't the nodes be tainted with "_node_._cloudprovider_._kubernetes_.io/_uninitialized_=true:NoSchedule"?
Trying to figure out why this isn't happening for me.swift-zebra-42479
07/29/2022, 6:06 AMbored-rain-98291
07/29/2022, 1:32 PMmagnificent-vr-88571
08/01/2022, 3:17 PMmillions-book-52954
07/25/2022, 11:07 AM1.1.12 - Ensure that the etcd data directory ownership is set toetcd:etcd
1. Check that theuser and group exists on the host. If they don’t, exit with an error.etcd
2. Create etcd’s data directory withas the user and group owner.etcd
3. Ensure the etcd process is ran as theSource: https://rancher.com/docs/rancher/v2.6/en/security/hardening-guides/rke2-1.6-hardening-2.6/#ensure-etcd-is-configured-properly User creation is (partly ?) documented:user and group by setting the etcd static pod’setcd
appropriately.SecurityContext
sudo useradd -r -c "etcd user" -s /sbin/nologin -M etcd -U
Questions:
1 - Is there a reason to not specify a UID/GID (as opposed to RKE) ?
2 - What is the best way to set the SecurityContext
for etcd pods ?
• Is it done by enabling cis profile into config.yaml
? (This is not the case of my cluster currently as I try to pass test before enabling it.)
• As opposed to RKE, it seems to not be possible to set etcd user/group explicitly into config.yaml
.
• Last option seems to update /var/lib/rancher/rke2/agent/pod-manifests/etcd.yaml
Let me know if I misunderstood something.bored-rain-98291
08/02/2022, 3:04 PMbored-rain-98291
08/02/2022, 2:46 PMrefined-area-45178
08/02/2022, 6:16 PMclean-airplane-85370
08/04/2022, 2:24 PMsticky-megabyte-50644
08/04/2022, 5:44 PMsticky-megabyte-50644
08/04/2022, 5:57 PMstale-painting-80203
08/05/2022, 4:22 PMkind-air-74358
08/10/2022, 9:20 AMambitious-plastic-3551
08/10/2022, 6:09 PMambitious-plastic-3551
08/10/2022, 6:11 PMgreat-photographer-94826
08/12/2022, 11:32 AMserver: https://${rke2_server_01_ip_address}:9345
token: K10c87116b50b69e15addc8367b07e7a4b10c611a54fc2bca0ac58953f910a7af7c::server:bffba7dd8a3a2b3e212fe95be3fdd392
node-label:
- fluentd=true
profile: cis-1.6
tls-san:
- ${rke2_server_01_ip_address}
- ${node_fqdn}
- ${node_ip}
disable-cloud-controller: true
etcd-snapshot-schedule-cron: "0 */12 * * *"
etcd-snapshot-retention: 5
secrets-encryption: true
Then I stopped all rke2 nodes (servers and agents). I modified the /etc/rancher/rke2/config.yaml files on all servers.
server: https://${load_balancer_fqdn}:9345
token: K10c87116b50b69e15addc8367b07e7a4b10c611a54fc2bca0ac58953f910a7af7c::server:bffba7dd8a3a2b3e212fe95be3fdd392
node-label:
- fluentd=true
profile: cis-1.6
tls-san:
- ${rke2_server_01_ip_address}
- ${node_fqdn}
- ${node_ip}
disable-cloud-controller: true
etcd-snapshot-schedule-cron: "0 */12 * * *"
etcd-snapshot-retention: 5
secrets-encryption: true
kube-apiserver-arg:
- enable-admission-plugins=AlwaysPullImages,EventRateLimit,NodeRestriction,PodSecurityPolicy
- tls-min-version=VersionTLS12
- tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
When starting rke2-server.service on the first server node, I see in the log that it cannot start. Just loop this messages:
Aug 12 13:18:58 rke2-server-01 rke2[790660]: time="2022-08-12T13:18:58+02:00" level=error msg="Failed to connect to proxy" error="dial tcp ${rke2_server_02_ip_address}:9345: connect: connection refused"
Aug 12 13:18:58 rke2-server-01 rke2[790660]: time="2022-08-12T13:18:58+02:00" level=error msg="Remotedialer proxy error" error="dial tcp ${rke2_server_02_ip_address}:9345: connect: connection refused"
Aug 12 13:18:58 rke2-server-01 rke2[790660]: time="2022-08-12T13:18:58+02:00" level=error msg="Failed to connect to proxy" error="dial tcp ${rke2_server_03_ip_address}:9345: connect: connection refused"
Aug 12 13:18:58 rke2-server-01 rke2[790660]: time="2022-08-12T13:18:58+02:00" level=error msg="Remotedialer proxy error" error="dial tcp ${rke2_server_03_ip_address}:9345: connect: connection refused"
Aug 12 13:19:03 rke2-server-01 rke2[790660]: time="2022-08-12T13:19:03+02:00" level=info msg="Connecting to proxy" url="wss://${rke2_server_02_ip_address}:9345/v1-rke2/connect"
Aug 12 13:19:03 rke2-server-01 rke2[790660]: time="2022-08-12T13:19:03+02:00" level=info msg="Connecting to proxy" url="wss://${rke2_server_03_ip_address}:9345/v1-rke2/connect"
Any comments are welcome!stale-fish-49559
08/15/2022, 5:51 PMnarrow-noon-75604
08/16/2022, 1:22 PMmagnificent-vr-88571
08/18/2022, 2:36 PMbored-rain-98291
08/18/2022, 3:26 PMorange-cpu-47176
08/18/2022, 3:50 PMcurl -sfL <https://get.rke2.io> | sh -
, which happens correctly, at the command systemctl start rke2-server.service
the cluster does not go up.
From what I understand from looking at the logs, containerd fails to connect to index.docker.io.
Do you have any solutions?
I’ll preface this by saying that docker is running normally.stale-fish-49559
08/18/2022, 8:17 PMcat >/etc/rancher/rke2/config.yaml <<'EOF'
cni: cilium
node-taint: CriticalAddonsOnly=true:NoExecute
write-kubeconfig-mode: 0644
EOF
However, the cilium operator is failing due to 1 node(s) didn't have free ports for the requested pod ports
and that port would be 6942. netstat shows tcp6 0 0 :::6942 :::* LISTEN 5246/cilium-operato
. any ideas what is happening there?billions-easter-91774
08/18/2022, 9:52 PM