https://rancher.com/ logo
Title
p

polite-translator-35958

05/26/2023, 3:25 PM
I swear that I’ve seen a guide that talked about enabling a CIS Profile on an existing RKE2 cluster, but now I can’t seem to find it…am I losing my mind?
With
profile: cis-1.23
added to my
config.yaml
, the
systemctl restart rke2-server
fails. I feel like I need to add a NetworkPolicy, but now I can’t find the documentation I found that in….
r

rough-farmer-49135

05/26/2023, 3:29 PM
If restart fails, then it's probably turned on. There are 2-4 commands you'll have to run on some of your nodes to get things to work with CIS profile enabled. They were in the install docs for it and as I recall the logs gave hints. Don't remember the specifics any more, though.
p

polite-translator-35958

05/26/2023, 3:34 PM
Hmm…okay. Will re-check the install docs. I’ve been following docs.rke2.io/security/hardening_guide and I think I’ve done everything there… Thanks!
r

rough-farmer-49135

05/26/2023, 3:37 PM
I'd check the logs. It should point to the problem, and instead of it being forgetting the OS things, it might be telling you that something with the initial etcd is wrong. The main thing I recall is if you start with the CIS profile then any misconfiguration from the profile will cause it to error out and not start.
So the logs might show you that you can turn it on after install time, but it might never work as it might require certain things created in a certain way.
p

polite-translator-35958

05/26/2023, 3:37 PM
Yeah, the logs make it seem like either etcd is not starting or things can’t talk to it…
r

rough-farmer-49135

05/26/2023, 3:38 PM
Did you check the static pod logs for etcd?
If you aren't familiar with how to get crictl to work to do that sort of thing, https://gist.github.com/superseb/3b78f47989e0dbc1295486c186e944bf gives the rundown on what you need to do.
👍 1
p

polite-translator-35958

05/26/2023, 3:40 PM
Thanks! That’s super helpful. New to rke2 (from rke)
r

rough-farmer-49135

05/26/2023, 3:41 PM
I was pretty excited when one of the Rancher folks pointed me to that on debugging something a while ago.
p

polite-translator-35958

05/26/2023, 4:31 PM
Thanks! I think it was just bad etcd perms. I think I had not set up my etcd user correctly.
c

creamy-pencil-82913

05/26/2023, 5:22 PM
you can also just look at stuff under /var/log/pods, often times that’s way easier than poking about with crictl
👍 1