https://rancher.com/ logo
Title
m

most-ghost-71898

05/05/2023, 9:27 AM
So i've been poking around trying to find why the need for the CAPD fork and it looks like a tough one to crack. RKE2 imposes
anonymous-auth=false
due to CIS but that means API health checks fail, HAproxy relies on these to signal control plane readiness. Are there any ideas to get around this or since its Docker infra not a big concern atm?
Apparently there was a proposal that got closed down due to inactivity:
It would be better to allow this by authorizing "system:unathenticated" to access the /healthz endpoint through RBAC.
c

cool-thailand-26552

05/10/2023, 11:17 AM
Hi Luis, First, thank you for your contributions, very much appreciated. This suggestion would be working around the RKE2 security principle, which is, in my opinion, not desired. RKE2 encourages a good security posture, which is ignored by CAPD. In my opinion, CAPD should give the possibility to do a custom healthcheck.
m

most-ghost-71898

05/10/2023, 1:17 PM
So the general idea would be employing CAPD's custom healthcheck and ask rke2-agent to check the health of the api server? I suppose the agent has the necessary auth on hand to call api server's
/healthz
and get results