Channels
academy
amazon
arm
azure
cabpr
chinese
ci-cd
danish
deutsch
developer
elemental
epinio
espanol
events
extensions
fleet
français
gcp
general
harvester
harvester-dev
hobbyfarm
hypper
japanese
k3d
k3os
k3s
k3s-contributor
kim
kubernetes
kubewarden
lima
logging
longhorn-dev
longhorn-storage
masterclass
mesos
mexico
nederlands
neuvector-security
office-hours
one-point-x
onlinemeetup
onlinetraining
opni
os
ozt
phillydotnet
portugues
rancher-desktop
rancher-extensions
rancher-setup
rancher-wrangler
random
rfed_ara
rio
rke
rke2
russian
s3gw
service-mesh
storage
submariner
supermicro-sixsq
swarm
terraform-controller
terraform-provider-rancher2
terraform-provider-rke
theranchcast
training-0110
training-0124
training-0131
training-0207
training-0214
training-1220
ukranian
v16-v21-migration
vsphere
windows
Title
g
great-photographer-94826
08/12/2022, 11:32 AMHey folks!
I would like to change my RKE2 /etc/rancher/rke2/config.yaml file according to CIS recommendations. During installation, I specified the following settings:
server: https://${rke2_server_01_ip_address}:9345
token: K10c87116b50b69e15addc8367b07e7a4b10c611a54fc2bca0ac58953f910a7af7c::server:bffba7dd8a3a2b3e212fe95be3fdd392
node-label:
- fluentd=true
profile: cis-1.6
tls-san:
- ${rke2_server_01_ip_address}
- ${node_fqdn}
- ${node_ip}
disable-cloud-controller: true
etcd-snapshot-schedule-cron: "0 */12 * * *"
etcd-snapshot-retention: 5
secrets-encryption: trueserver: https://${load_balancer_fqdn}:9345
token: K10c87116b50b69e15addc8367b07e7a4b10c611a54fc2bca0ac58953f910a7af7c::server:bffba7dd8a3a2b3e212fe95be3fdd392
node-label:
- fluentd=true
profile: cis-1.6
tls-san:
- ${rke2_server_01_ip_address}
- ${node_fqdn}
- ${node_ip}
disable-cloud-controller: true
etcd-snapshot-schedule-cron: "0 */12 * * *"
etcd-snapshot-retention: 5
secrets-encryption: true
kube-apiserver-arg:
- enable-admission-plugins=AlwaysPullImages,EventRateLimit,NodeRestriction,PodSecurityPolicy
- tls-min-version=VersionTLS12
- tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305Aug 12 13:18:58 rke2-server-01 rke2[790660]: time="2022-08-12T13:18:58+02:00" level=error msg="Failed to connect to proxy" error="dial tcp ${rke2_server_02_ip_address}:9345: connect: connection refused"
Aug 12 13:18:58 rke2-server-01 rke2[790660]: time="2022-08-12T13:18:58+02:00" level=error msg="Remotedialer proxy error" error="dial tcp ${rke2_server_02_ip_address}:9345: connect: connection refused"
Aug 12 13:18:58 rke2-server-01 rke2[790660]: time="2022-08-12T13:18:58+02:00" level=error msg="Failed to connect to proxy" error="dial tcp ${rke2_server_03_ip_address}:9345: connect: connection refused"
Aug 12 13:18:58 rke2-server-01 rke2[790660]: time="2022-08-12T13:18:58+02:00" level=error msg="Remotedialer proxy error" error="dial tcp ${rke2_server_03_ip_address}:9345: connect: connection refused"
Aug 12 13:19:03 rke2-server-01 rke2[790660]: time="2022-08-12T13:19:03+02:00" level=info msg="Connecting to proxy" url="wss://${rke2_server_02_ip_address}:9345/v1-rke2/connect"
Aug 12 13:19:03 rke2-server-01 rke2[790660]: time="2022-08-12T13:19:03+02:00" level=info msg="Connecting to proxy" url="wss://${rke2_server_03_ip_address}:9345/v1-rke2/connect"c
creamy-pencil-82913
08/15/2022, 8:03 PMcheck the apiserver pod logs in /var/log/pods, there’s probably an error in there…
g
great-photographer-94826
08/16/2022, 11:26 AM@creamy-pencil-82913 My config.yaml was wrong because I didn't add "admission-control-config-file=/etc/rancher/rke2/admission.yaml" for EventRateLimit. I added this arg and my servers work fine.