https://rancher.com/ logo
Title
g

great-photographer-94826

08/12/2022, 11:32 AM
Hey folks! I would like to change my RKE2 /etc/rancher/rke2/config.yaml file according to CIS recommendations. During installation, I specified the following settings:
server: https://${rke2_server_01_ip_address}:9345
token: K10c87116b50b69e15addc8367b07e7a4b10c611a54fc2bca0ac58953f910a7af7c::server:bffba7dd8a3a2b3e212fe95be3fdd392
node-label:
    - fluentd=true
profile: cis-1.6
tls-san:
  - ${rke2_server_01_ip_address}
  - ${node_fqdn}
  - ${node_ip}
disable-cloud-controller: true
etcd-snapshot-schedule-cron: "0 */12 * * *"
etcd-snapshot-retention: 5
secrets-encryption: true
Then I stopped all rke2 nodes (servers and agents). I modified the /etc/rancher/rke2/config.yaml files on all servers.
server: https://${load_balancer_fqdn}:9345
token: K10c87116b50b69e15addc8367b07e7a4b10c611a54fc2bca0ac58953f910a7af7c::server:bffba7dd8a3a2b3e212fe95be3fdd392
node-label:
    - fluentd=true
profile: cis-1.6
tls-san:
  - ${rke2_server_01_ip_address}
  - ${node_fqdn}
  - ${node_ip}
disable-cloud-controller: true
etcd-snapshot-schedule-cron: "0 */12 * * *"
etcd-snapshot-retention: 5
secrets-encryption: true
kube-apiserver-arg:
  - enable-admission-plugins=AlwaysPullImages,EventRateLimit,NodeRestriction,PodSecurityPolicy
  - tls-min-version=VersionTLS12
  - tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
When starting rke2-server.service on the first server node, I see in the log that it cannot start. Just loop this messages:
Aug 12 13:18:58 rke2-server-01 rke2[790660]: time="2022-08-12T13:18:58+02:00" level=error msg="Failed to connect to proxy" error="dial tcp ${rke2_server_02_ip_address}:9345: connect: connection refused"
Aug 12 13:18:58 rke2-server-01 rke2[790660]: time="2022-08-12T13:18:58+02:00" level=error msg="Remotedialer proxy error" error="dial tcp ${rke2_server_02_ip_address}:9345: connect: connection refused"
Aug 12 13:18:58 rke2-server-01 rke2[790660]: time="2022-08-12T13:18:58+02:00" level=error msg="Failed to connect to proxy" error="dial tcp ${rke2_server_03_ip_address}:9345: connect: connection refused"
Aug 12 13:18:58 rke2-server-01 rke2[790660]: time="2022-08-12T13:18:58+02:00" level=error msg="Remotedialer proxy error" error="dial tcp ${rke2_server_03_ip_address}:9345: connect: connection refused"
Aug 12 13:19:03 rke2-server-01 rke2[790660]: time="2022-08-12T13:19:03+02:00" level=info msg="Connecting to proxy" url="wss://${rke2_server_02_ip_address}:9345/v1-rke2/connect"
Aug 12 13:19:03 rke2-server-01 rke2[790660]: time="2022-08-12T13:19:03+02:00" level=info msg="Connecting to proxy" url="wss://${rke2_server_03_ip_address}:9345/v1-rke2/connect"
Any comments are welcome!
c

creamy-pencil-82913

08/15/2022, 8:03 PM
check the apiserver pod logs in /var/log/pods, there’s probably an error in there…
g

great-photographer-94826

08/16/2022, 11:26 AM
@creamy-pencil-82913 My config.yaml was wrong because I didn't add "admission-control-config-file=/etc/rancher/rke2/admission.yaml" for EventRateLimit. I added this arg and my servers work fine.