Channels
extensions
rancher-extensions
supermicro-sixsq
ozt
os
one-point-x
rio
onlinemeetup
v16-v21-migration
events
onlinetraining
training-1220
training-0110
training-0124
k3s-contributor
submariner
storage
k3os
windows
ci-cd
theranchcast
rfed_ara
nederlands
ukranian
danish
training-0131
masterclass
training-0207
training-0214
terraform-controller
epinio
phillydotnet
swarm
rancher-wrangler
deutsch
russian
chinese
mesos
français
japanese
arm
longhorn-dev
terraform-provider-rke
service-mesh
azure
gcp
academy
random
elemental
espanol
lima
harvester-dev
portugues
kubernetes
kim
hypper
kubewarden
opni
logging
neuvector-security
rancher-setup
developer
office-hours
mexico
cabpr
rke
vsphere
longhorn-storage
k3s
k3d
terraform-provider-rancher2
fleet
amazon
harvester
rke2
s3gw
hobbyfarm
rancher-desktop
general
Title
b
busy-flag-55906
04/18/2023, 10:25 AMgood day, i am adding audit policy on the downstream cluster using crd Cluster and the problem is that kube-api manifest created with the readonly mount:
- mountPath: /var/lib/rancher/rke2/server/logs/policy.log
name: file5
readOnly: true
cluster settings are the following:
kube-apiserver-arg:
- audit-policy-file=/var/lib/rancher/rke2/server/logs/policy-test.yaml
- audit-log-path=/var/lib/rancher/rke2/server/logs/policy.log
how can i set mount policy?
c
creamy-pencil-82913
04/18/2023, 5:07 PMOn all currently available releases, you need to add a extra mount for the log directory in order to get the log file actually written to the host
b
busy-flag-55906
04/19/2023, 9:11 AMthanks, will try this
is there any full reference for those options? https://github.com/rancher/rke2/issues/1183#issuecomment-1242031356
Untitled
Untitled
also, i have noticed that 2 of 3 master nodes have problems with rke-server service
Untitled
and it seems that kube api manifests have been updated, but not applied to the pod
c
creamy-pencil-82913
04/19/2023, 2:25 PMI suspect you have a syntax error somewhere. What's the complete configuration file look like?
b
busy-flag-55906
04/20/2023, 7:35 AMhere is my current spec:
Untitled
the only settings i add are :
Untitled
c
creamy-pencil-82913
04/20/2023, 7:46 AMwhat does the resulting config on the rke2 node look like? under /etc/rancher/rke2/config.yaml.d ?
I believe Rancher does some filtering of the config, you can’t set everything via the cluster editor. You might have to drop the required config directly on the node.
b
busy-flag-55906
04/20/2023, 8:56 AMUntitled
current configuration results in mounts with readonly fs for logs collection
changing audit output path to audit-log-path=- will produce another issues where 1 master is working fine and all logs are logged to stdout but 2 other masters remain in broken state
c
creamy-pencil-82913
04/20/2023, 3:41 PMCan you try putting the policy file somewhere other than where you’re going to be writing logs?audit-policy-file=/var/log/audit-k8s/policy-test.yaml
The log output mount shouldn’t have any other files mounted under it, and the policy file would violate that
b
busy-flag-55906
04/21/2023, 7:59 AMi have moved audit policy file to a different dir, however the issue with read only mount remains:
Untitled
Untitled
c
creamy-pencil-82913
04/21/2023, 3:15 PMDo you have selinux policy or something else that is blocking the write? We don't set up the mount as read-only.
It is just a normal hostpath mount
b
busy-flag-55906
04/24/2023, 7:07 AMno, i do not have anything like this, inside kube-api manifest this path is set as read-only once i add it
the things become more weirder, finally the same configuration in cluster have been updated on all masters, but another issue is that 2 or 3 servers have kube-api running with incorrect settings, in manifest i see the following:
Untitled
crictl inspect $POD :
Untitled
/etc/rancher/rke2/config.yaml.d/50-rancher.yaml:
Untitled
i have just noticed that kubelet is not able to start properly, probably thats why kube-api havent restarted yet
Untitled
Untitled