https://rancher.com/ logo
Join Slack
Powered by
This message was deleted.
# k3s
a
This message was deleted.
h
though in general, i would be wary of using 
INSTALL_K3S_EXEC="--secrets-encryption true"
c
INSTALL_K3S_EXEC="--secrets-encryption true"
this command fails executing as far as I can tell.
h
if you typed such out on the cli it should be fine
e.g. 
k3s server --secrets-encryption true
but that is beside the point for your question and use case, i assume
c
So basically for booleans I am good to go with 
INSTALL_K3S_EXEC="--secrets-encryption"
just setting them like this right?
h
that said, consider leveraging the 
/etc/rancher/k3s/config.yaml
for an overall better configuration experience
yeah
c
export INSTALL_K3S_EXEC="--kube-apiserver-arg='audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log' --kube-apiserver-arg='audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml'"
What about passing strings like this inside the env variable?
h
should work iirc, but it depends on how you are getting the envvar to the install script
i prefer to leverage 
/etc/rancher/k3s/config.yaml
config when i can (easy to devops, makes for a simpler install invocation
c
/etc/rancher/k3s/config.yaml
I have no idea how to write all these commands into the yaml file. The docs only shows two simple examples.
h
can you link me the doc you are using?
c
h
c
yes that one
h
yeah i see what you mean. you kind of have to know the internal type used for args though iirc the parsing does try to be forgiving (particularly with string arrays)
that said, the 
kube-*-arg
flags take string array values while most other stuff is just strings
anyhow, go with whatever you are most comfortable with!
don't let me nerd-snipe you
c
ok so for integer and booleans I should not use "", and rest of it just wrap around double quotes right?
h
yeah that should get your most of the way with even complex config
c
No, your solution is far better but I am trying to implement the k3s CIS hardening parameters also and am confused how to properly implement those things. K3S is not giving me any error if it is not parsing any parameters also. So very hard to debug what is getting ignored from my INSTALL_K3S_EXEC list.
Does the config yaml have any particular order of in which I have to provide the parameters? Or just lay down everything as shown in the example from top to bottom and try executing?
h
ah, well for that, worst case is you can inspect what k3s thinks the runtime config is by inspecting the node annotations 
<http://k3s.io/node-args|k3s.io/node-args>
and 
<http://k3s.io/node-env|k3s.io/node-env>
nah, order isnt important. it is a straight-forward translation of all k3s flags as top level items in the yaml
c
got it. thanks a lot for the info. am trying to create the yaml then. better to visualize and manage.
👍 1
h
anyhow, while i no longer work for suse/rancher i was a dev on this project and hope i have been helpful. if you are still stuck please do ping me here (i'm gonna switch to a diff screen. if i am unresponsive try tagging me)
👍 1
c
Thanks a lot for the help. Really appreciate it. I will let you know how it goes.
74 Views
Open in Slack
PreviousNext
Powered by