Channels
academy
amazon
arm
azure
cabpr
chinese
ci-cd
danish
deutsch
developer
elemental
epinio
espanol
events
extensions
fleet
français
gcp
general
harvester
harvester-dev
hobbyfarm
hypper
japanese
k3d
k3os
k3s
k3s-contributor
kim
kubernetes
kubewarden
lima
logging
longhorn-dev
longhorn-storage
masterclass
mesos
mexico
nederlands
neuvector-security
office-hours
one-point-x
onlinemeetup
onlinetraining
opni
os
ozt
phillydotnet
portugues
rancher-desktop
rancher-extensions
rancher-setup
rancher-wrangler
random
rfed_ara
rio
rke
rke2
russian
s3gw
service-mesh
storage
submariner
supermicro-sixsq
swarm
terraform-controller
terraform-provider-rancher2
terraform-provider-rke
theranchcast
training-0110
training-0124
training-0131
training-0207
training-0214
training-1220
ukranian
v16-v21-migration
vsphere
windows
Title
f
fast-garage-66093
04/20/2023, 5:12 PMr
rich-thailand-62341
04/20/2023, 5:16 PMIf I provide a
--kube-apiserver-argI'm guessing there may already be options set in the option I'd like to add to:
--enable-admission-plugins=NodeRestriction,PodSecurityf
fast-garage-66093
04/20/2023, 5:18 PMIt will just be appended
r
rich-thailand-62341
04/20/2023, 5:18 PMOh great, I'll give it a go. Thanks for the assistance
f
fast-garage-66093
04/20/2023, 5:19 PMYeah, for those options that specify a list, I'm not sure what apiserver does. The effect will be the same as
--enable-admission-plugins=NodeRestriction --enable-admission-plugins=PodSecurityr
rich-thailand-62341
04/20/2023, 5:21 PMIn clusters I'm used to working with, I can view the pod spec for the kube-apiserver, which is nice for debugging the flags. I'm not very experienced with k3s yet, maybe it's not running as a pod? Can't seem to find it
f
fast-garage-66093
04/20/2023, 5:27 PMYou can find more information at CIS Hardening Guide | K3s
Note that Rancher Desktop is meant to be a dev environment and should not be used for production. But of course you should be able to use PSPs for development/testing purposes
r
rich-thailand-62341
04/20/2023, 5:29 PMExcellent, that's my intended purpose 🙂
Thanks a bunch for your quick and thorough assistance!
Just circling back, this override worked to get PSA enabled:
env:
K3S_EXEC: "--kube-apiserver-arg=enable-admission-plugins=PodSecurity"f
fast-garage-66093
04/20/2023, 5:48 PMBut is the
NodeRestrictionPolicyr
rich-thailand-62341
04/20/2023, 5:49 PMI'll see if I can find it, I have yet to locate where the kube-apiserver instance is running
I suppose it's in the lima vm somewhere, but I haven't figured out how to look around in there
f
fast-garage-66093
04/20/2023, 5:51 PMrdctl shellr
rich-thailand-62341
04/20/2023, 5:58 PMFound the k3s.log:
~/Library/logs/rancher-desktop/k3s.log👍 1
cat k3s.log | grep "Running kube-apiserver"
time="2023-04-20T17:28:08Z" level=info msg="Running kube-apiserver --advertise-address=192.168.205.2 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=<https://kubernetes.default.svc.cluster.local>,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=PodSecurity --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --etcd-servers=<unix://kine.sock> --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=<https://kubernetes.default.svc.cluster.local> --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"NodeRestrictionPolicyf
fast-garage-66093
04/20/2023, 5:59 PMI thought it was there by default, but not sure either
r
rich-thailand-62341
04/20/2023, 6:03 PMYeah,
NodeRestrictioncat ~/Library/logs/rancher-desktop/k3s.log | grep "Running kube-apiserver"
time="2023-04-20T18:00:50Z" level=info msg="Running kube-apiserver --advertise-address=192.168.205.2 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=<https://kubernetes.default.svc.cluster.local>,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --etcd-servers=<unix://kine.sock> --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=<https://kubernetes.default.svc.cluster.local> --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"This override works and keeps NodeRestriction
override.yaml:
env:
K3S_EXEC: "--kube-apiserver-arg=enable-admission-plugins=NodeRestriction,PodSecurity"👍 1