I swear that I’ve seen a guide that talked about enabling a CIS Profile on an existing RKE2 cluster, but now I can’t seem to find it…am I losing my mind?

If restart fails, then it's probably turned on. There are 2-4 commands you'll have to run on some of your nodes to get things to work with CIS profile enabled. They were in the install docs for it and as I recall the logs gave hints. Don't remember the specifics any more, though.

Hmm…okay. Will re-check the install docs. I’ve been following docs.rke2.io/security/hardening_guide and I think I’ve done everything there… Thanks!

I'd check the logs. It should point to the problem, and instead of it being forgetting the OS things, it might be telling you that something with the initial etcd is wrong. The main thing I recall is if you start with the CIS profile then any misconfiguration from the profile will cause it to error out and not start.

Yeah, the logs make it seem like either etcd is not starting or things can’t talk to it…

Did you check the static pod logs for etcd?

Thanks! That’s super helpful. New to rke2 (from rke)

I was pretty excited when one of the Rancher folks pointed me to that on debugging something a while ago.

Thanks! I think it was just bad etcd perms. I think I had not set up my etcd user correctly.

you can also just look at stuff under /var/log/pods, often times that’s way easier than poking about with crictl