This message was deleted.

you’re looking at the node agent, you need to be looking at the cluster agent

Hmm. Okay. I don’t recall seeing a cluster agent pod…I did just get it to connect by turning off the cis 1.23 profile….

cis makes things quite a lot more complicated (though also more secure). If you need that restriction, then you can apply this yaml as your PSA when bringing the cluster up: https://ranchermanager.docs.rancher.com/reference-guides/rancher-security/psa-restricted-exemptions This can be configured on server nodes by providing the relevant flag in config.yaml:

pod-security-admission-config-file: /path/to/that/file

You can also do the piecemeal approach for namespaces one at a time. Note that rancher needs privileged access. Below is an example for

cattle-system

but you’d need to do the same or similar for any of the relevant rancher namespaces

apiVersion: v1
kind: Namespace
metadata:
  name: cattle-system
  labels:
    <http://pod-security.kubernetes.io/enforce|pod-security.kubernetes.io/enforce>: privileged
    <http://pod-security.kubernetes.io/enforce-version|pod-security.kubernetes.io/enforce-version>: v1.25
    <http://pod-security.kubernetes.io/audit|pod-security.kubernetes.io/audit>: privileged
    <http://pod-security.kubernetes.io/audit-version|pod-security.kubernetes.io/audit-version>: v1.25
    <http://pod-security.kubernetes.io/warn|pod-security.kubernetes.io/warn>: privileged
    <http://pod-security.kubernetes.io/warn-version|pod-security.kubernetes.io/warn-version>: v1.25

Thanks @gray-lawyer-73831. I did have this all working at some point a few months ago, but I’ve been distracted and the base AMI in my environment has moved from RHEL 8.7 to 8.8. So I’m trying to get my stuff “working” again so that I can work on upgrading the rke2 and Rancher versions…. I’m pretty sure that I have that PSA, but I will double check!