shy-megabyte-75492
09/22/2022, 7:09 PMswift-zebra-42479
09/23/2022, 5:58 AMabundant-yak-72647
09/25/2022, 4:30 AMtall-doctor-28108
09/26/2022, 1:04 PMenough-toddler-31145
09/26/2022, 1:16 PMremote error: tls: bad certificate "remote error: tls: bad certificate"
and I messed with my config a little bit and restarted the bootstrapped server to now get the following error:
E0926 13:03:06.509286 1306356 leaderelection.go:325] error retrieving resource lock kube-system/rke2: Get <https://127.0.0.1:6443/api/v1/namespaces/kube-system/configmaps/rke2>: dial tcp 127.0.0.1:6443: connect: connection refused
running a curl against this gives the following output:
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: <https://curl.haxx.se/docs/sslcerts.html>
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
Then running a curl and ignore certificates provides this output:
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "Unauthorized",
"reason": "Unauthorized",
"code": 401
}
Has anyone ran into any trouble with rke2-server certificates and specifically on hardened RHEL8 boxes?? Thanks!bulky-glass-61156
09/26/2022, 6:52 PMshy-zebra-53074
09/27/2022, 3:40 PM1.22.15
even though I’m being very explicit in all of my config optionsshy-zebra-53074
09/27/2022, 3:40 PMcurl -sfL <https://get.rke2.io> | INSTALL_RKE2_TYPE="server" INSTALL_RKE2_VERSION="v1.22.15+rke2r1" INSTALL_RKE2_CHANNEL="v1.22" INSTALL_RKE2_CHANNEL_URL="<https://update.rke2.io/v1-release/channels>" sudo -E sh -
[INFO] using stable RPM repositories
[INFO] using 1.22 series from channel stable
Rancher RKE2 Common (v1.22) 9.7 kB/s | 2.9 kB 00:00
Rancher RKE2 1.22 (v1.22) 13 kB/s | 2.9 kB 00:00
No match for argument: rke2-server-1.22.15~rke2r1
Error: Unable to find a match: rke2-server-1.22.15~rke2r1
shy-zebra-53074
09/27/2022, 3:41 PMlatest
stable
and testing
shy-zebra-53074
09/27/2022, 3:43 PM1.22.13
worked but not 1.22.14
/ 1.22.15
shy-zebra-53074
09/27/2022, 3:43 PMbright-whale-83501
09/28/2022, 6:23 PMbroad-petabyte-50341
09/28/2022, 8:52 PM1.22.6
-> 1.22.13
with my CNI set to cilium
I'm getting failures with some of my pods making connections to postgres. The pods in question are in the same namespace, I'm able to connect to the database manually, the pods have the correct creds but they can't connect and I'm not getting a helpful error message. Reverting to 1.22.6 fixes the issue.high-winter-92040
09/29/2022, 11:07 AMshy-zebra-53074
09/29/2022, 3:31 PMfapolicyd
continuing to block runc
even though it’s been allowed as a rule AND added to the trust database??shy-zebra-53074
09/29/2022, 3:33 PM[root@ip-192-168-96-10 ~]# cat /etc/fapolicyd/rules.d/01-app.rules
# uids
%uuids=0,1000
# Run RKE2
allow perm=any all : dir=/opt/cni/
allow perm=any all : dir=/run/k3s/
allow perm=any all : dir=/var/lib/kubelet/
allow perm=any all : dir=/var/lib/rancher/
allow perm=any all : dir=/var/lib/rancher/rke2/data/v1.22.6-rke2r1-e6c1502b55cd/bin/
allow perm=any all : dir=/var/lib/rancher/rke2/data/v1.22.6-rke2r1-e6c1502b55cd/bin/runc
shy-zebra-53074
09/29/2022, 3:34 PM[root@ip-192-168-96-10 ~]# cat /etc/fapolicyd/trust.d/app
# AUTOGENERATED FILE VERSION 2
# This file contains a list of trusted files
#
# FULL PATH SIZE SHA256
# /home/user/my-ls 157984 61a9960bf7d255a85811f4afcac51067b8f2e4c75e21cf4f2af95319d4ed1b87
/usr/bin/unzip 206704 299d6bae8ec58c76e087f8516cb6be438db2481bbab9b2b61a6c6a5c206a27f3
/var/lib/rancher/rke2/data/v1.22.6-rke2r1-e6c1502b55cd/bin/runc 11068888 b3276789a9b735b758e6292ce469192c9ef77514bf7fa3b3fef77d631a4e4ee3
shy-zebra-53074
09/29/2022, 3:34 PM[root@ip-192-168-96-10 ~]# sha256sum /var/lib/rancher/rke2/data/v1.22.6-rke2r1-e6c1502b55cd/bin/runc
b3276789a9b735b758e6292ce469192c9ef77514bf7fa3b3fef77d631a4e4ee3 /var/lib/rancher/rke2/data/v1.22.6-rke2r1-e6c1502b55cd/bin/runc
shy-zebra-53074
09/29/2022, 3:35 PM[root@ip-192-168-96-10 ~]# ausearch -m fanotify --raw | aureport --file --summary
File Summary Report
===========================
total file
===========================
609 /var/lib/rancher/rke2/data/v1.22.6-rke2r1-e6c1502b55cd/bin/runc
shy-zebra-53074
09/29/2022, 4:21 PMkind-air-74358
09/30/2022, 1:10 PMsparse-fireman-14239
10/03/2022, 11:20 AMshy-zebra-53074
10/03/2022, 6:00 PMfapolicyd
here’s a thread I had that resolved my issue: https://github.com/linux-application-whitelisting/fapolicyd/issues/205ancient-air-32350
10/03/2022, 8:19 PMlittle-actor-95014
10/03/2022, 8:57 PM"plugin type="calico" failed (add): error getting ClusterInformation: connection is unauthorized: Unauthorized"
since upgrading to v1.24.6+rke2r1
from a 1.23 release? I assume it's something to do with the change to service account configs in 1.24 with LegacyServiceAccountTokenNoAutoGeneration
going to enabled by default?boundless-dog-9864
10/05/2022, 1:52 PMable-engineer-22050
10/05/2022, 6:06 PMgreat-flag-38820
10/06/2022, 4:59 AMfamous-energy-13283
10/06/2022, 6:12 PMfuture-monitor-61871
10/06/2022, 6:53 PM