This message was deleted.
# rke2a
adamant-kite-43734
12/29/2023, 6:20 PMThis message was deleted.
n
nutritious-tomato-14686
12/29/2023, 7:54 PMThey are not mutually exclusive. The docs should be updated to improve readability.
nutritious-tomato-14686
12/29/2023, 7:55 PMSo for you case, you would have:
Copy code
profile: cis-1.23
pod-security-admission-config-file: /path/to/my/custom/pss.yamlnutritious-tomato-14686
12/29/2023, 8:02 PMYou can see here in the code how if we see a
pod-security-admission-config-fileprofile: cis-XXnutritious-tomato-14686
12/29/2023, 8:06 PMAlso I should note that in newer releases of RKE2, we introduced a generic
profile: cisf
full-train-34126
12/29/2023, 8:12 PMOk, that's cool. I see how it's supposed to work. Doesn't fully explain what I saw in practice, but I must have made an error somewhere . I could have sworn when I installed with both values in the config it still created the default rke2-pss.yaml. That was on 1.25.7. I'll do some more testing in the new year, and check the release notes see of there was a bug fix for a minor version or something.
Will be good to get to the generic 'cis' thing, much easier. Having to stay a few versions behind though waiting for Rancher compatibility to catch up.
Thanks for your prompt response.
n
nutritious-tomato-14686
12/29/2023, 8:18 PMYeah Rancher is slower to support new K8s versions, but we did introduce the generic profile in 1.25.14, so you might have it supported depending on your rancher version. I will double check 1.25.7
nutritious-tomato-14686
12/29/2023, 8:43 PMI validated that it works with 1.25.7, if you want to see what arguments
kube-apiserverjournalctlRunning kube-apiserver/var/lib/rancher/rke2/agent/pod-manifests/kube-apiserver.yamlf
full-train-34126
12/29/2023, 8:55 PMThat's great, thanks. I was looking at the pod describe for the api server, bit that's a good tip. I'll do some more testing. Thanks very much for your help.
17 Views