Hey team, I’m working in a proxied environment (external connectivity only via HTTP proxy) and using /etc/default/rke2-server for proxy configuration. The downstream RKE2 cluster is created via Rancher + Terraform. Issue: • If I set containerd-specific proxy in /etc/default/rke2-server, the cluster doesn’t work:

CONTAINERD_HTTP_PROXY=<http://your-proxy.example.com:8888>

CONTAINERD_HTTPS_PROXY=<http://your-proxy.example.com:8888>

CONTAINERD_NO_PROXY=127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16

• But if I set the HTTP proxy in /etc/default/rke2-server, the cluster forms fine:

HTTP_PROXY=<http://your-proxy.example.com:8888>

HTTPS_PROXY=<http://your-proxy.example.com:8888>

NO_PROXY=127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16

Questions: 1. Why does the containerd-specific proxy setting prevent the cluster from forming, while the global HTTP proxy works? 2. For security reasons, we only want containerd to have the proxy config (not kube-proxy or the RKE2 ). Any recommendations or best practices for this setup? thanks in advance.

Binaries for containerd, kubelet, and so on are extracted from the rke2-runtime image by the rke2 process. If you need to pull this image via a proxy, then you MUST configure proxy for the rke2 process - not just containerd.

ok. thank you. @creamy-pencil-82913 what is the role of containerd proxy or when should i only config containerd_proxy??

Check the rke2 airgap docs

what is the role of containerd proxy or when should i configure "only" containerd_proxy?? as per online- "containerd is the low-level container runtime used by RKE2 (and most modern Kubernetes setups) to pull and run container images." im confused with the role of https proxy and contaienrd_proxy. Please advise.

Containerd pulls images FOR CONTAINERS. If you only want containerd to use the proxy then only configure it for that. But like I said, rke2 needs to pull and unpack the runtime image for all the system binaries including containerd and kubelet. So, you'll need to figure out how to make that image available.

im good now. thank you.

No. No environment variables are ever propagated to pods.

ok. thank you.

they are not passed to any containers, unless you took steps to manually do so

example. this is from etcd pod.

kubectl describe po <http://etcd-xxx.global.xxx.org|etcd-xxx.global.xxx.org> -n kube-system

Name: etcd-k8shdptest001.global.xxx.org Namespace: kube-system Priority: 2000000000 Priority Class Name: system-cluster-critical Node: k8shdptest001.global.xxx.org/172.22.48.92 Start Time: Mon, 04 Aug 2025 104711 +0000 Labels: component=etcd tier=control-plane Annotations: etcd.k3s.io/initial: {"initial-advertise-peer-urls":"https://172.22.48.92:2380","initial-cluster":"k8shdptest001.global.xxx.org-93873603=https://172.22.48.92... kubernetes.io/config.hash: ea6749ba021ee761076a9fd72ec3ceb2 kubernetes.io/config.mirror: ea6749ba021ee761076a9fd72ec3ceb2 kubernetes.io/config.seen: 2025-08-04T114711.628365756+01:00 kubernetes.io/config.source: file Status: Running IP: 172.22.48.92 IPs: IP: 172.22.48.92 Controlled By: Node/k8shdptest001.global.xxx.org Containers: etcd: Container ID: containerd://56dea922b678aa566e594d5da6161f979ae64046014c54bb7f066087e4dcb0dd Image: index.docker.io/rancher/hardened-etcd:v3.5.21-k3s1-build20250612 Image ID: docker.io/rancher/hardened-etcd@sha256:a7b27de3631122aa0086238a71dc7e9bf6fcfa7fd48b8ccf55139231b018680b Port: <none> Host Port: <none> Command: etcd Args: --config-file=/var/lib/rancher/rke2/server/db/etcd/config State: Running Started: Mon, 04 Aug 2025 104716 +0000 Ready: True Restart Count: 0 Requests: cpu: 200m memory: 512Mi Liveness: http-get http://localhost:2381/health%3Fserializable=true delay=10s timeout=15s period=10s #success=1 #failure=8 Startup: http-get http://localhost:2381/health%3Fserializable=true delay=10s timeout=5s period=10s #success=1 #failure=24 Environment: FILE_HASH: c2797dfb940ea922e3cb02a0abc468edbf5d0a1f294661b316401f81b2001677 HTTP_PROXY: http://uk5.proxy.xxx.org:80 HTTPS_PROXY: http://uk5.proxy.xxx.org:80 NO_PROXY: .xxx.org,localhost,localhost.localdomain,127.0.0.1,.crc.testing,10.157.160.165/19,192.168.0.0/16,10.96.0.0/12,kubernetes,kubernetes.svc,kubernetes.svc.local,k8shdptest001.global.xxx.org,k8shdptest002.global.xxx.org,k8shdptest003.global.xxx.org,172.22.48.92,172.22.48.93,172.22.48.94,.svc,.cluster.local,10.42.0.0/16,10.43.0.0/16 Mounts: /var/lib/rancher/rke2/server/db/etcd from dir0 (rw) /var/lib/rancher/rke2/server/db/etcd/config from file6 (ro) /var/lib/rancher/rke2/server/tls/etcd/peer-ca.crt from file5 (ro)

hmm. my mistake, I guess the PROXY env vars do get intentionally passed through in the control-plane static pods manifests. I wasn’t aware of that, it’s not code that has been touched and I don’t often use proxies so I never noticed. https://github.com/rancher/rke2/blame/v1.33.0%2Brke2r1/pkg/staticpod/staticpod.go#L273-L277

oh thank you for clarifying. im concerned becaz these pods will have direct access to outside world. CC: @creamy-pencil-82913

They are not going to even attempt to access anything outside your cluster, so that shouldn’t be a problem… but if seeing it there bothers you, you can manually override those env vars via RKE2 config to set them back to an empty string.