I'm trying to set up node-allocatable. Using rancher on a rke2 downstream cluster using manifest below. The issue I'm facing is it's not setting up cgroup specified on

kube-reserved-cgroup

, I see node allocatable changed on each node. Is there any way to force this? So I can make sure the resource availability for

kubelet

and other system services. ? Rancher version: v2.7.3 (Installed using docker command).

apiVersion: <http://provisioning.cattle.io/v1|provisioning.cattle.io/v1>
kind: Cluster
metadata:
  annotations:
    <http://field.cattle.io/creatorId|field.cattle.io/creatorId>: user-8xmdj
  finalizers:
    - <http://wrangler.cattle.io/cloud-config-secret-remover|wrangler.cattle.io/cloud-config-secret-remover>
    - <http://wrangler.cattle.io/provisioning-cluster-remove|wrangler.cattle.io/provisioning-cluster-remove>
    - <http://wrangler.cattle.io/rke-cluster-remove|wrangler.cattle.io/rke-cluster-remove>
  name: foo
  namespace: fleet-default
  uid: cf2c90a9-37c7-4290-8185-32e8c5042a4b
spec:
  defaultPodSecurityAdmissionConfigurationTemplateName: rancher-restricted
  kubernetesVersion: v1.25.9+rke2r1
  localClusterAuthEndpoint: {}
  rkeConfig:
    additionalManifest: |-
      ---
      apiVersion: <http://helm.cattle.io/v1|helm.cattle.io/v1>
      kind: HelmChartConfig
      metadata:
        name: rke2-coredns
        namespace: kube-system
      spec:
        valuesContent: |-
          nodelocal:
            enabled: true
    chartValues:
      rke2-canal: {}
    etcd:
      snapshotRetention: 5
      snapshotScheduleCron: 0 */5 * * *
    machineGlobalConfig:
      cni: canal
      disable:
        - rke2-ingress-nginx
      disable-kube-proxy: false
      etcd-expose-metrics: false
      kube-apiserver-arg:
        - >-
          admission-control-config-file=/etc/rancher/rke2/config/rancher-psact.yaml
        - enable-admission-plugins=AlwaysPullImages
    machineSelectorConfig:
      - config:
          kubelet-arg:
            - cgroups-per-qos
            - kube-reserved=cpu=200m,memory=256Mi,ephemeral-storage=5G
            - kube-reserved-cgroup=runtime.slice
            - system-reserved=cpu=200m,memory=256Mi,ephemeral-storage=10G
            - system-reserved-cgroup=system.slice
            - >-
              eviction-hard=memory.available<256Mi,imagefs.available<5%,nodefs.available<5%
          profile: cis-1.23
          protect-kernel-defaults: true
    machineSelectorFiles:
      - fileSources:
          - secret:
              items:
                - key: policy
                  path: /etc/rancher/rke2/audit-policy.yaml
              name: foo-audit-policy
        machineLabelSelector:
          matchLabels:
            <http://rke.cattle.io/control-plane-role|rke.cattle.io/control-plane-role>: 'true'
      - fileSources:
          - secret:
              items:
                - hash: nvQtuo8wEKrAHeiiWgF459YS45FPDtfvKh5D63okHnQ=
                  key: admission-config-psact
                  path: /etc/rancher/rke2/config/rancher-psact.yaml
              name: foo-admission-configuration-psact
        machineLabelSelector:
          matchLabels:
            <http://rke.cattle.io/control-plane-role|rke.cattle.io/control-plane-role>: 'true'
    registries: {}
    rotateCertificates:
      generation: 1
      services:
        - api-server
    upgradeStrategy:
      controlPlaneConcurrency: '1'
      controlPlaneDrainOptions:
        deleteEmptyDirData: true
        disableEviction: false
        enabled: false
        force: false
        gracePeriod: -1
        ignoreDaemonSets: true
        ignoreErrors: false
        postDrainHooks: null
        preDrainHooks: null
        skipWaitForDeleteTimeoutSeconds: 0
        timeout: 120
      workerConcurrency: '1'
      workerDrainOptions:
        deleteEmptyDirData: true
        disableEviction: false
        enabled: false
        force: false
        gracePeriod: -1
        ignoreDaemonSets: true
        ignoreErrors: false
        postDrainHooks: null
        preDrainHooks: null
        skipWaitForDeleteTimeoutSeconds: 0
        timeout: 120