Hello team, I have an rke2 cluster with 6 nodes, three of them master and three worker. In the masters we disable the installation of ingress-nginx but not in the workers and I don't see it installed. The thing is that I want to set up an entry for a kibana eck that I have installed and it doesn't work for me. I understand that it is because the nginx ingress is not installed, is it correct?

how can i install ingress-nginx now? my version of rke2 is the following rke2 version v1.21.6+rke2r1

Hello everyone, is it possible to deploy rke2 default nginx-ingress-controller into another namespace instead of kube-system? I’ve tried with HelmChartConfig but it doesn’t help

I am trying to enable a new

feature gate

on my api server. After editing the

config.yaml

file and restarting the

rke2-server

process the api server never comes back up and there are

500 Internal Server Errors

from kube-proxy in the logs. Does anyone have any idea how to go about this?

hey guys, is there a way how can I disable crb

global-unrestricted-psp-rolebinding

provisioned by default

apiVersion: <http://rbac.authorization.k8s.io/v1|rbac.authorization.k8s.io/v1>
kind: ClusterRoleBinding
metadata:
  creationTimestamp: "2022-07-20T11:45:40Z"
  name: global-unrestricted-psp-rolebinding
  resourceVersion: "229"
  uid: 8dca97e8-3cf9-4eeb-a8c8-2b84efb70e55
roleRef:
  apiGroup: <http://rbac.authorization.k8s.io|rbac.authorization.k8s.io>
  kind: ClusterRole
  name: global-unrestricted-psp-clusterrole
subjects:
- apiGroup: <http://rbac.authorization.k8s.io|rbac.authorization.k8s.io>
  kind: Group
  name: system:authenticated

that gives unrestricted access to anything authenticated…

We are hosting RKE2 on a bare-metal cluster. I read that rke2 has nginx-ingress controller already installed? what configuration do i need to make so developers can use this for their deployments? thanks for any help

also what would metallb add that the ingress controller does not already provide?

When setting:

cloud-provider-name: external

disable-cloud-controller: true

Shouldn't the nodes be tainted with "_node_._cloudprovider_._kubernetes_.io/_uninitialized_=true:NoSchedule"? Trying to figure out why this isn't happening for me.

Hi, Please suggestion me below two point for RKE2: • Management of security certificates and enable data encryption • SSL enabled endpoint verification

Not to sound like a n00b but its not clear how to modify the nginx ingress controller for normal operation. I have devs wanting to deploy their apps and set their internal hostnames. Is it basically just modifying the manifest like a normal deployment?

Thanks for making https://www.raptorswithhats.com/gitea-on-rke2-metallb/

Hello, I'm currently looking to configure my RKE2 cluster (v1.23.6+rke2r2) to be more secure based on CIS 1.6. Is there a best practice or a consensus to be compliant with this CIS test ?

1.1.12 - Ensure that the etcd data directory ownership is set to

etcd:etcd

1. Check that the

etcd

user and group exists on the host. If they don’t, exit with an error.

2. Create etcd’s data directory with

etcd

as the user and group owner.

3. Ensure the etcd process is ran as the

etcd

user and group by setting the etcd static pod’s

SecurityContext

appropriately.

Source: https://rancher.com/docs/rancher/v2.6/en/security/hardening-guides/rke2-1.6-hardening-2.6/#ensure-etcd-is-configured-properly User creation is (partly ?) documented:

sudo useradd -r -c "etcd user" -s /sbin/nologin -M etcd -U

Questions: 1 - Is there a reason to not specify a UID/GID (as opposed to RKE) ? 2 - What is the best way to set the

SecurityContext

for etcd pods ? • Is it done by enabling cis profile into

config.yaml

? (This is not the case of my cluster currently as I try to pass test before enabling it.) • As opposed to RKE, it seems to not be possible to set etcd user/group explicitly into

config.yaml

. • Last option seems to update

/var/lib/rancher/rke2/agent/pod-manifests/etcd.yaml

Let me know if I misunderstood something.

i need the ability for 3 developers to deploy their apps and each get separate ips exposed

Im reading the network docs on rke2 under network options. Why would anyone customize the CNI plugins? i havent been exposed to this part of kubernetes in the past so im trying to understand.

Hello everyone, is it possible to deploy rke2 default nginx-ingress-controller into another namespace instead of kube-system? I’ve tried with HelmChartConfig but it doesn’t help

hi, I just recreated my rke2 cluster from v1.23.8 to v1.23.9+rke2r1, and seeing all my ingress stop working. It is getting connection refused. Anyone know what is happening? I saw one of the changes is nginx-ingress updated to 4.1.x that have some hostnetwork changes.... I was not able to find any doc on any config change needed on the new version. How can I fix this?

👋 Hello, team! I'm facing issues with RKE2 on air-gapped environment. "Failed to create sandbox", because its unable to pull rancher/pause:3.6. I'm pretty sure this image was part of the original RKE2 deployment

so, quick question: is there some image retention taking place? how can we exclude system images like this one?

I have an 3 node IKE2 cluster setup for rancher server with a Load Balancer in front. I need to change the IP addresses of the 3 nodes, but finding that kubectl no longer works. Is it possible to change IP addresses once RKE2 has been installed?

Hi all, I got a small question. Does anyone knows what the release name convention is for RKE? Especially what means the r1 / r2 at the end? For example 1.23.7+rke2r1 and 1.23.7+rke2r2. Why is the r1 a pre-release (but also having releases with rc1)

When I was moving fleet workspaces, I lost the cluster in provisioning.cattle.io (namespace) and also (local cluster) in Cluster view at the start of Rancher app, is there a way to restore the "local" cluster

I can still see it in the left menu list but not in Cluster Management

Hey folks! I would like to change my RKE2 /etc/rancher/rke2/config.yaml file according to CIS recommendations. During installation, I specified the following settings:

server: https://${rke2_server_01_ip_address}:9345
token: K10c87116b50b69e15addc8367b07e7a4b10c611a54fc2bca0ac58953f910a7af7c::server:bffba7dd8a3a2b3e212fe95be3fdd392
node-label:
    - fluentd=true
profile: cis-1.6
tls-san:
  - ${rke2_server_01_ip_address}
  - ${node_fqdn}
  - ${node_ip}
disable-cloud-controller: true
etcd-snapshot-schedule-cron: "0 */12 * * *"
etcd-snapshot-retention: 5
secrets-encryption: true

Then I stopped all rke2 nodes (servers and agents). I modified the /etc/rancher/rke2/config.yaml files on all servers.

server: https://${load_balancer_fqdn}:9345
token: K10c87116b50b69e15addc8367b07e7a4b10c611a54fc2bca0ac58953f910a7af7c::server:bffba7dd8a3a2b3e212fe95be3fdd392
node-label:
    - fluentd=true
profile: cis-1.6
tls-san:
  - ${rke2_server_01_ip_address}
  - ${node_fqdn}
  - ${node_ip}
disable-cloud-controller: true
etcd-snapshot-schedule-cron: "0 */12 * * *"
etcd-snapshot-retention: 5
secrets-encryption: true
kube-apiserver-arg:
  - enable-admission-plugins=AlwaysPullImages,EventRateLimit,NodeRestriction,PodSecurityPolicy
  - tls-min-version=VersionTLS12
  - tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305

When starting rke2-server.service on the first server node, I see in the log that it cannot start. Just loop this messages:

Aug 12 13:18:58 rke2-server-01 rke2[790660]: time="2022-08-12T13:18:58+02:00" level=error msg="Failed to connect to proxy" error="dial tcp ${rke2_server_02_ip_address}:9345: connect: connection refused"
Aug 12 13:18:58 rke2-server-01 rke2[790660]: time="2022-08-12T13:18:58+02:00" level=error msg="Remotedialer proxy error" error="dial tcp ${rke2_server_02_ip_address}:9345: connect: connection refused"
Aug 12 13:18:58 rke2-server-01 rke2[790660]: time="2022-08-12T13:18:58+02:00" level=error msg="Failed to connect to proxy" error="dial tcp ${rke2_server_03_ip_address}:9345: connect: connection refused"
Aug 12 13:18:58 rke2-server-01 rke2[790660]: time="2022-08-12T13:18:58+02:00" level=error msg="Remotedialer proxy error" error="dial tcp ${rke2_server_03_ip_address}:9345: connect: connection refused"
Aug 12 13:19:03 rke2-server-01 rke2[790660]: time="2022-08-12T13:19:03+02:00" level=info msg="Connecting to proxy" url="wss://${rke2_server_02_ip_address}:9345/v1-rke2/connect"
Aug 12 13:19:03 rke2-server-01 rke2[790660]: time="2022-08-12T13:19:03+02:00" level=info msg="Connecting to proxy" url="wss://${rke2_server_03_ip_address}:9345/v1-rke2/connect"

Any comments are welcome!

hi, im working with yocto and have rke2, latest, running. However, calico is having an issue that i cannot figure out. What is the underlying requirement for calico to work?

Hi, I have installed RKE2 with 3 server nodes and 3 agent nodes on baremetal machines spawned off from VMWare and Openstack. The cluster is up and working properly. Now I want to configure an external load balancer right before the 3 server nodes. I have found a document to configure nginx on a baremetal machine but could not able to find the exact steps to configure it. https://rancher.com/docs/rancher/v2.5/en/installation/resources/k8s-tutorials/infrastructure-tutorials/infra-for-rke2-ha/ Please share any documentation links for reference or let me know if these steps are enough to configure a loadbalancer on a baremetal machine.

Guys, I have a situation. My current baremetal RKE2 nodes are in 10.x.x.x and going to moved in 172.x.x.x, I understand there will be lot of hurdles since cluster IPs are changed. I would like to know whether anyone had similar situation and what would be the best practice/advice/solutions for this migration to follow.

Greetings! We have an RKE2 cluster running. We have a client that uses RKE2 as well and we are trying to keep our cluster as close as possible. They are using cis-1.5. We do not have a policy enabled but i was thinking maybe i should also enable it so we dont see any issues. Could this security policy(ies) cause problems with deployments or workloads? thanks

hello i have a problem installing rke2 on a bare metal with vmware esxi7 and centos 8 stream. Basically after installation via script

curl -sfL <https://get.rke2.io> | sh -

, which happens correctly, at the command

systemctl start rke2-server.service

the cluster does not go up. From what I understand from looking at the logs, containerd fails to connect to index.docker.io. Do you have any solutions? I’ll preface this by saying that docker is running normally.

Hi, i am running a simple rke2 server with the following config

cat >/etc/rancher/rke2/config.yaml <<'EOF'
cni: cilium
node-taint: CriticalAddonsOnly=true:NoExecute
write-kubeconfig-mode: 0644
EOF

However, the cilium operator is failing due to

1 node(s) didn't have free ports for the requested pod ports

and that port would be 6942. netstat shows

tcp6    0   0 :::6942         :::*          LISTEN   5246/cilium-operato

. any ideas what is happening there?

i upgraded from rke2 1.23.6 to 1.23.9; my nginx ingress ctrl stoped binding to 80/443. Is there anything known i missed? I'm also slightly lost on how to debug it; which k8s log would be most relevant?