Hey team, We're running into issues provisioning a 3 CP, 3 worker RKE2 downstream cluster on RHEL 8.10 via Rancher.

kubectl get nodes

shows "Ready," but we're seeing persistent errors like

Failed to create pod sandbox: ... Calico ... TLS handshake timeout

when Calico tries to connect to the API server. This points to a networking/proxy problem. We tried configuring

HTTP_PROXY

,

HTTPS_PROXY

, and

NO_PROXY

(with broad internal ranges including

10.0.0.0/8

and

.<http://xyz.org|xyz.org>

) in

/etc/default/rke2-server

and

/etc/default/rke2-agent

to avoid a global proxy setup. However, the

rancher-system-agent

is still failing to pull images, specifically

rancher/system-agent-installer-rke2:v1.31.7-rke2r1

from

<http://index.docker.io|index.docker.io>

, reporting a

dial tcp ...:443: i/o timeout

. This suggests the proxy isn't being picked up by the system agent for its initial image pulls, or there's an issue with the proxy itself reaching Docker Hub. Any thoughts on why the system agent isn't using the proxy config from

/etc/default/

files, or what else could be causing this image pull timeout and the subsequent Calico TLS handshake errors? Thanks in advance!

You need to set the http proxy env vars in agent env section of the Rancher UI for that cluster. You may not be able to change this after the fact, if the nodes are unable to communicate with rancher without the proxy configured. This is covered in the rancher docs.