https://rancher.com/ logo
Title
b

busy-flag-55906

04/18/2023, 10:25 AM
good day, i am adding audit policy on the downstream cluster using crd Cluster and the problem is that kube-api manifest created with the readonly mount: - mountPath: /var/lib/rancher/rke2/server/logs/policy.log name: file5 readOnly: true cluster settings are the following: kube-apiserver-arg: - audit-policy-file=/var/lib/rancher/rke2/server/logs/policy-test.yaml - audit-log-path=/var/lib/rancher/rke2/server/logs/policy.log how can i set mount policy?
c

creamy-pencil-82913

04/18/2023, 5:07 PM
On all currently available releases, you need to add a extra mount for the log directory in order to get the log file actually written to the host
b

busy-flag-55906

04/19/2023, 9:11 AM
thanks, will try this
is there any full reference for those options? https://github.com/rancher/rke2/issues/1183#issuecomment-1242031356
Untitled
Untitled
also, i have noticed that 2 of 3 master nodes have problems with rke-server service
Untitled
and it seems that kube api manifests have been updated, but not applied to the pod
c

creamy-pencil-82913

04/19/2023, 2:25 PM
I suspect you have a syntax error somewhere. What's the complete configuration file look like?
b

busy-flag-55906

04/20/2023, 7:35 AM
here is my current spec:
Untitled
the only settings i add are :
Untitled
c

creamy-pencil-82913

04/20/2023, 7:46 AM
what does the resulting config on the rke2 node look like? under /etc/rancher/rke2/config.yaml.d ?
I believe Rancher does some filtering of the config, you can’t set everything via the cluster editor. You might have to drop the required config directly on the node.
b

busy-flag-55906

04/20/2023, 8:56 AM
Untitled
current configuration results in mounts with readonly fs for logs collection
changing audit output path to audit-log-path=- will produce another issues where 1 master is working fine and all logs are logged to stdout but 2 other masters remain in broken state
c

creamy-pencil-82913

04/20/2023, 3:41 PM
audit-policy-file=/var/log/audit-k8s/policy-test.yaml
Can you try putting the policy file somewhere other than where you’re going to be writing logs?
The log output mount shouldn’t have any other files mounted under it, and the policy file would violate that
b

busy-flag-55906

04/21/2023, 7:59 AM
i have moved audit policy file to a different dir, however the issue with read only mount remains:
Untitled
Untitled
c

creamy-pencil-82913

04/21/2023, 3:15 PM
Do you have selinux policy or something else that is blocking the write? We don't set up the mount as read-only.
It is just a normal hostpath mount
b

busy-flag-55906

04/24/2023, 7:07 AM
no, i do not have anything like this, inside kube-api manifest this path is set as read-only once i add it
the things become more weirder, finally the same configuration in cluster have been updated on all masters, but another issue is that 2 or 3 servers have kube-api running with incorrect settings, in manifest i see the following:
Untitled
crictl inspect $POD :
Untitled
/etc/rancher/rke2/config.yaml.d/50-rancher.yaml:
Untitled
i have just noticed that kubelet is not able to start properly, probably thats why kube-api havent restarted yet
Untitled
Untitled