Im reading the network docs on rke2 under network options. Why would anyone customize the CNI plugins? i havent been exposed to this part of kubernetes in the past so im trying to understand.

What degree of change you're talking about. If you want to change the IP space that your pods & services use then your CNI would be needing to pay attention to those options, and that seems like an easy one. Another one I've heard is some people with Calico like doing fancy things since it just uses BGP so you can technically hook things outside the cluster to reach inside with that. Though that seems like a likely niche use case.

Hi Bill! I just setup an azure k8s cluster for a different project. It was great that i could deploy and immediately get an external ip address to the service. I have this same need where several developers are going to be deploying their services to an RKE2 cluster on bare metal (well in vms). But i understand that is a big challenge on metal.

You might be interested in this then: https://projectcalico.docs.tigera.io/security/hosts . I've had it mentally bookmarked to go back and look at since the CNIs don't work with firewalld.

hey thanks! ive been preparing for my CKA exam for a while and am hoping one of these days this stuff just clicks

If you're just doing a normal web app that's enough. I know when we tried looking at Prisma Cloud Compute it had some things it wanted more ports exposed for and I needed to monkey around a bit to get around not using LoadBalancer s.

so i would need to change away from flannel to calico correct?

For the firewall bits on the tigera.io then yes, though it might work with Canal too (which is Flannel + Calico)

right

I picked Calico when I played vanilla because poking around what I found suggested that the cloud providers use it. For RKE2 I've just used default, which is Canal if installed manually & Calico if installed through the UI (though it's just a dropdown option to switch).

exactly!

I've only used FOSS versions. For customer getting commercial support the plan for that is through Rancher.

ah ok - so what is the specific product from tigera i need to configure? or is it already part of rke2?

The Tigera link is the FOSS Calico docs.

lol ah ok - so basically i have everything i need

To the best of my knowledge, if you find something missing let me know as I may run into it later too.

thanks for the link. You helped me again!

Not necessarily. The Rancher UI takes a Kubernetes cluster (if you want it HA), so if you just want RKE2 and don't plan on using Rancher UI to manage Kubernetes clusters (auth definitely managed through there, also some handy user-friendly bits) then that's still a perfectly viable option. RKE2 is certainly nice on its own.

agreed and we arent using the ha version since its just a dev cluster. 1 master 2 agents.

You could play around with the Rancher UI by running it in a Docker container and see if you think it's worth it or not. If you've got devs afraid of the command line that want a UI then Rancher UI makes it nicer to get to a shell in a container or the logs, but you can do all the same with kubectl or other commands already. As a note, if you want RKE2 with SELinux enforcing then you can't deploy RKE2 through the UI yet and have to still manually install and join later as a pre-existing cluster.

good to know - thanks! most of the devs are forced to use terminal in other projects they work on so im not too worried about it