https://rancher.com/ logo
Docs
Join the conversationJoin Slack
Channels
academy
amazon
arm
azure
cabpr
chinese
ci-cd
danish
deutsch
developer
elemental
epinio
espanol
events
extensions
fleet
français
gcp
general
harvester
harvester-dev
hobbyfarm
hypper
japanese
k3d
k3os
k3s
k3s-contributor
kim
kubernetes
kubewarden
lima
logging
longhorn-dev
longhorn-storage
masterclass
mesos
mexico
nederlands
neuvector-security
office-hours
one-point-x
onlinemeetup
onlinetraining
opni
os
ozt
phillydotnet
portugues
rancher-desktop
rancher-extensions
rancher-setup
rancher-wrangler
random
rfed_ara
rio
rke
rke2
russian
s3gw
service-mesh
storage
submariner
supermicro-sixsq
swarm
terraform-controller
terraform-provider-rancher2
terraform-provider-rke
theranchcast
training-0110
training-0124
training-0131
training-0207
training-0214
training-1220
ukranian
v16-v21-migration
vsphere
windows
Powered by Linen
rke2
  • r

    ripe-queen-73614

    07/28/2022, 8:54 AM
    Hello team, I have an rke2 cluster with 6 nodes, three of them master and three worker. In the masters we disable the installation of ingress-nginx but not in the workers and I don't see it installed. The thing is that I want to set up an entry for a kibana eck that I have installed and it doesn't work for me. I understand that it is because the nginx ingress is not installed, is it correct?
    r
    f
    • 3
    • 7
  • r

    ripe-queen-73614

    07/28/2022, 8:55 AM
    how can i install ingress-nginx now? my version of rke2 is the following rke2 version v1.21.6+rke2r1
  • r

    refined-area-45178

    07/28/2022, 9:01 AM
    Hello everyone, is it possible to deploy rke2 default nginx-ingress-controller into another namespace instead of kube-system? I’ve tried with HelmChartConfig but it doesn’t help
  • b

    billions-kite-9416

    07/28/2022, 10:56 AM
    I am trying to enable a new
    feature gate
    on my api server. After editing the
    config.yaml
    file and restarting the
    rke2-server
    process the api server never comes back up and there are
    500 Internal Server Errors
    from kube-proxy in the logs. Does anyone have any idea how to go about this?
    g
    • 2
    • 4
  • e

    eager-refrigerator-66976

    07/28/2022, 12:46 PM
    hey guys, is there a way how can I disable crb
    global-unrestricted-psp-rolebinding
    provisioned by default
    apiVersion: <http://rbac.authorization.k8s.io/v1|rbac.authorization.k8s.io/v1>
    kind: ClusterRoleBinding
    metadata:
      creationTimestamp: "2022-07-20T11:45:40Z"
      name: global-unrestricted-psp-rolebinding
      resourceVersion: "229"
      uid: 8dca97e8-3cf9-4eeb-a8c8-2b84efb70e55
    roleRef:
      apiGroup: <http://rbac.authorization.k8s.io|rbac.authorization.k8s.io>
      kind: ClusterRole
      name: global-unrestricted-psp-clusterrole
    subjects:
    - apiGroup: <http://rbac.authorization.k8s.io|rbac.authorization.k8s.io>
      kind: Group
      name: system:authenticated
    that gives unrestricted access to anything authenticated…
    • 1
    • 1
  • b

    bored-rain-98291

    07/28/2022, 3:03 PM
    We are hosting RKE2 on a bare-metal cluster. I read that rke2 has nginx-ingress controller already installed? what configuration do i need to make so developers can use this for their deployments? thanks for any help
  • b

    bored-rain-98291

    07/28/2022, 3:45 PM
    also what would metallb add that the ingress controller does not already provide?
    a
    • 2
    • 2
  • a

    aloof-church-32790

    07/28/2022, 6:05 PM
    When setting:
    cloud-provider-name: external
    disable-cloud-controller: true
    Shouldn't the nodes be tainted with "_node_._cloudprovider_._kubernetes_.io/_uninitialized_=true:NoSchedule"? Trying to figure out why this isn't happening for me.
    c
    • 2
    • 1
  • s

    swift-zebra-42479

    07/29/2022, 6:06 AM
    Hi, Please suggestion me below two point for RKE2: • Management of security certificates and enable data encryption • SSL enabled endpoint verification
  • b

    bored-rain-98291

    07/29/2022, 1:32 PM
    Not to sound like a n00b but its not clear how to modify the nginx ingress controller for normal operation. I have devs wanting to deploy their apps and set their internal hostnames. Is it basically just modifying the manifest like a normal deployment?
    v
    • 2
    • 17
  • m

    magnificent-vr-88571

    08/01/2022, 3:17 PM
    Thanks for making https://www.raptorswithhats.com/gitea-on-rke2-metallb/
    👍 1
    b
    • 2
    • 3
  • m

    millions-book-52954

    07/25/2022, 11:07 AM
    Hello, I'm currently looking to configure my RKE2 cluster (v1.23.6+rke2r2) to be more secure based on CIS 1.6. Is there a best practice or a consensus to be compliant with this CIS test ?
    1.1.12 - Ensure that the etcd data directory ownership is set to
    etcd:etcd
    1. Check that the
    etcd
    user and group exists on the host. If they don’t, exit with an error.
    2. Create etcd’s data directory with
    etcd
    as the user and group owner.
    3. Ensure the etcd process is ran as the
    etcd
    user and group by setting the etcd static pod’s
    SecurityContext
    appropriately.
    Source: https://rancher.com/docs/rancher/v2.6/en/security/hardening-guides/rke2-1.6-hardening-2.6/#ensure-etcd-is-configured-properly User creation is (partly ?) documented:
    sudo useradd -r -c "etcd user" -s /sbin/nologin -M etcd -U
    Questions: 1 - Is there a reason to not specify a UID/GID (as opposed to RKE) ? 2 - What is the best way to set the
    SecurityContext
    for etcd pods ? • Is it done by enabling cis profile into
    config.yaml
    ? (This is not the case of my cluster currently as I try to pass test before enabling it.) • As opposed to RKE, it seems to not be possible to set etcd user/group explicitly into
    config.yaml
    . • Last option seems to update
    /var/lib/rancher/rke2/agent/pod-manifests/etcd.yaml
    Let me know if I misunderstood something.
    👀 1
    h
    r
    • 3
    • 6
  • b

    bored-rain-98291

    08/02/2022, 3:04 PM
    i need the ability for 3 developers to deploy their apps and each get separate ips exposed
  • b

    bored-rain-98291

    08/02/2022, 2:46 PM
    Im reading the network docs on rke2 under network options. Why would anyone customize the CNI plugins? i havent been exposed to this part of kubernetes in the past so im trying to understand.
    r
    • 2
    • 33
  • r

    refined-area-45178

    08/02/2022, 6:16 PM
    Hello everyone, is it possible to deploy rke2 default nginx-ingress-controller into another namespace instead of kube-system? I’ve tried with HelmChartConfig but it doesn’t help
    c
    • 2
    • 2
  • c

    clean-airplane-85370

    08/04/2022, 2:24 PM
    hi, I just recreated my rke2 cluster from v1.23.8 to v1.23.9+rke2r1, and seeing all my ingress stop working. It is getting connection refused. Anyone know what is happening? I saw one of the changes is nginx-ingress updated to 4.1.x that have some hostnetwork changes.... I was not able to find any doc on any config change needed on the new version. How can I fix this?
    g
    • 2
    • 22
  • s

    sticky-megabyte-50644

    08/04/2022, 5:44 PM
    👋 Hello, team! I'm facing issues with RKE2 on air-gapped environment. "Failed to create sandbox", because its unable to pull rancher/pause:3.6. I'm pretty sure this image was part of the original RKE2 deployment
    c
    • 2
    • 10
  • s

    sticky-megabyte-50644

    08/04/2022, 5:57 PM
    so, quick question: is there some image retention taking place? how can we exclude system images like this one?
  • s

    stale-painting-80203

    08/05/2022, 4:22 PM
    I have an 3 node IKE2 cluster setup for rancher server with a Load Balancer in front. I need to change the IP addresses of the 3 nodes, but finding that kubectl no longer works. Is it possible to change IP addresses once RKE2 has been installed?
    c
    • 2
    • 3
  • k

    kind-air-74358

    08/10/2022, 9:20 AM
    Hi all, I got a small question. Does anyone knows what the release name convention is for RKE? Especially what means the r1 / r2 at the end? For example 1.23.7+rke2r1 and 1.23.7+rke2r2. Why is the r1 a pre-release (but also having releases with rc1)
    b
    • 2
    • 4
  • a

    ambitious-plastic-3551

    08/10/2022, 6:09 PM
    When I was moving fleet workspaces, I lost the cluster in provisioning.cattle.io (namespace) and also (local cluster) in Cluster view at the start of Rancher app, is there a way to restore the "local" cluster
  • a

    ambitious-plastic-3551

    08/10/2022, 6:11 PM
    I can still see it in the left menu list but not in Cluster Management
  • g

    great-photographer-94826

    08/12/2022, 11:32 AM
    Hey folks! I would like to change my RKE2 /etc/rancher/rke2/config.yaml file according to CIS recommendations. During installation, I specified the following settings:
    server: https://${rke2_server_01_ip_address}:9345
    token: K10c87116b50b69e15addc8367b07e7a4b10c611a54fc2bca0ac58953f910a7af7c::server:bffba7dd8a3a2b3e212fe95be3fdd392
    node-label:
        - fluentd=true
    profile: cis-1.6
    tls-san:
      - ${rke2_server_01_ip_address}
      - ${node_fqdn}
      - ${node_ip}
    disable-cloud-controller: true
    etcd-snapshot-schedule-cron: "0 */12 * * *"
    etcd-snapshot-retention: 5
    secrets-encryption: true
    Then I stopped all rke2 nodes (servers and agents). I modified the /etc/rancher/rke2/config.yaml files on all servers.
    server: https://${load_balancer_fqdn}:9345
    token: K10c87116b50b69e15addc8367b07e7a4b10c611a54fc2bca0ac58953f910a7af7c::server:bffba7dd8a3a2b3e212fe95be3fdd392
    node-label:
        - fluentd=true
    profile: cis-1.6
    tls-san:
      - ${rke2_server_01_ip_address}
      - ${node_fqdn}
      - ${node_ip}
    disable-cloud-controller: true
    etcd-snapshot-schedule-cron: "0 */12 * * *"
    etcd-snapshot-retention: 5
    secrets-encryption: true
    kube-apiserver-arg:
      - enable-admission-plugins=AlwaysPullImages,EventRateLimit,NodeRestriction,PodSecurityPolicy
      - tls-min-version=VersionTLS12
      - tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
    When starting rke2-server.service on the first server node, I see in the log that it cannot start. Just loop this messages:
    Aug 12 13:18:58 rke2-server-01 rke2[790660]: time="2022-08-12T13:18:58+02:00" level=error msg="Failed to connect to proxy" error="dial tcp ${rke2_server_02_ip_address}:9345: connect: connection refused"
    Aug 12 13:18:58 rke2-server-01 rke2[790660]: time="2022-08-12T13:18:58+02:00" level=error msg="Remotedialer proxy error" error="dial tcp ${rke2_server_02_ip_address}:9345: connect: connection refused"
    Aug 12 13:18:58 rke2-server-01 rke2[790660]: time="2022-08-12T13:18:58+02:00" level=error msg="Failed to connect to proxy" error="dial tcp ${rke2_server_03_ip_address}:9345: connect: connection refused"
    Aug 12 13:18:58 rke2-server-01 rke2[790660]: time="2022-08-12T13:18:58+02:00" level=error msg="Remotedialer proxy error" error="dial tcp ${rke2_server_03_ip_address}:9345: connect: connection refused"
    Aug 12 13:19:03 rke2-server-01 rke2[790660]: time="2022-08-12T13:19:03+02:00" level=info msg="Connecting to proxy" url="wss://${rke2_server_02_ip_address}:9345/v1-rke2/connect"
    Aug 12 13:19:03 rke2-server-01 rke2[790660]: time="2022-08-12T13:19:03+02:00" level=info msg="Connecting to proxy" url="wss://${rke2_server_03_ip_address}:9345/v1-rke2/connect"
    Any comments are welcome!
    c
    • 2
    • 2
  • s

    stale-fish-49559

    08/15/2022, 5:51 PM
    hi, im working with yocto and have rke2, latest, running. However, calico is having an issue that i cannot figure out. What is the underlying requirement for calico to work?
  • n

    narrow-noon-75604

    08/16/2022, 1:22 PM
    Hi, I have installed RKE2 with 3 server nodes and 3 agent nodes on baremetal machines spawned off from VMWare and Openstack. The cluster is up and working properly. Now I want to configure an external load balancer right before the 3 server nodes. I have found a document to configure nginx on a baremetal machine but could not able to find the exact steps to configure it. https://rancher.com/docs/rancher/v2.5/en/installation/resources/k8s-tutorials/infrastructure-tutorials/infra-for-rke2-ha/ Please share any documentation links for reference or let me know if these steps are enough to configure a loadbalancer on a baremetal machine.
    c
    v
    s
    • 4
    • 13
  • m

    magnificent-vr-88571

    08/18/2022, 2:36 PM
    Guys, I have a situation. My current baremetal RKE2 nodes are in 10.x.x.x and going to moved in 172.x.x.x, I understand there will be lot of hurdles since cluster IPs are changed. I would like to know whether anyone had similar situation and what would be the best practice/advice/solutions for this migration to follow.
    c
    • 2
    • 73
  • b

    bored-rain-98291

    08/18/2022, 3:26 PM
    Greetings! We have an RKE2 cluster running. We have a client that uses RKE2 as well and we are trying to keep our cluster as close as possible. They are using cis-1.5. We do not have a policy enabled but i was thinking maybe i should also enable it so we dont see any issues. Could this security policy(ies) cause problems with deployments or workloads? thanks
  • o

    orange-cpu-47176

    08/18/2022, 3:50 PM
    hello i have a problem installing rke2 on a bare metal with vmware esxi7 and centos 8 stream. Basically after installation via script
    curl -sfL <https://get.rke2.io> | sh -
    , which happens correctly, at the command
    systemctl start rke2-server.service
    the cluster does not go up. From what I understand from looking at the logs, containerd fails to connect to index.docker.io. Do you have any solutions? I’ll preface this by saying that docker is running normally.
    s
    • 2
    • 13
  • s

    stale-fish-49559

    08/18/2022, 8:17 PM
    Hi, i am running a simple rke2 server with the following config
    cat >/etc/rancher/rke2/config.yaml <<'EOF'
    cni: cilium
    node-taint: CriticalAddonsOnly=true:NoExecute
    write-kubeconfig-mode: 0644
    EOF
    However, the cilium operator is failing due to
    1 node(s) didn't have free ports for the requested pod ports
    and that port would be 6942. netstat shows
    tcp6    0   0 :::6942         :::*          LISTEN   5246/cilium-operato
    . any ideas what is happening there?
    • 1
    • 3
  • b

    billions-easter-91774

    08/18/2022, 9:52 PM
    i upgraded from rke2 1.23.6 to 1.23.9; my nginx ingress ctrl stoped binding to 80/443. Is there anything known i missed? I'm also slightly lost on how to debug it; which k8s log would be most relevant?
Powered by Linen
Title
b

billions-easter-91774

08/18/2022, 9:52 PM
i upgraded from rke2 1.23.6 to 1.23.9; my nginx ingress ctrl stoped binding to 80/443. Is there anything known i missed? I'm also slightly lost on how to debug it; which k8s log would be most relevant?
View count: 5