So i ve been poking around trying to find why the need for the CAPD fork and it looks like a tough one to crack RKE2 imposes `anonymous auth=false` due to CIS but that means <https github com kubernetes kubeadm issues 798|API health checks fail> HAproxy relies on these to signal control plane readiness Are there any ideas to get around this or since its Docker infra not a big concern atm

Apparently there was a <https github com kubernetes kubernetes issues 43540|proposal> that got closed down due to inactivity gt It would be better to allow this by authorizing system unathenticated to access the healthz endpoint through RBAC

So i ve been poking around trying to find why the need for t rancher-users #cabpr

Title

most-ghost-71898

05/05/2023, 9:27 AM

So i've been poking around trying to find why the need for the CAPD fork and it looks like a tough one to crack. RKE2 imposes

anonymous-auth=false

due to CIS but that means API health checks fail, HAproxy relies on these to signal control plane readiness. Are there any ideas to get around this or since its Docker infra not a big concern atm?

Apparently there was a proposal that got closed down due to inactivity:

It would be better to allow this by authorizing "system:unathenticated" to access the /healthz endpoint through RBAC.

cool-thailand-26552

05/10/2023, 11:17 AM

Hi Luis, First, thank you for your contributions, very much appreciated. This suggestion would be working around the RKE2 security principle, which is, in my opinion, not desired. RKE2 encourages a good security posture, which is ignored by CAPD. In my opinion, CAPD should give the possibility to do a custom healthcheck.

most-ghost-71898

05/10/2023, 1:17 PM

So the general idea would be employing CAPD's custom healthcheck and ask rke2-agent to check the health of the api server? I suppose the agent has the necessary auth on hand to call api server's

/healthz

and get results

4 Views

#cabpr Join Slack