This message was deleted.

Ah, didn't see that option. So checking that would set --protect-kernel-defaults to true and if I don't do that it won't do it even with CIS 1.6 profile set? So at this point I need to manually fix the rke2-server.service files to add the parameter on my control plane nodes I assume. Do I need to add that to my worker nodes rke2-agent.service files too or can I do it centrally by editing the cluster or something?

I believe that if you edit that on the cluster it will sync that to the config on the node.

Ok, I'll try that and see. If it doesn't sync is that needed on the agents as well as the control plane or just control plane?

everywhere

No luck changing in UI, can't get it to pull it. I tried changing it in

/etc/rancher/rke2/config.yaml.d/50-rancher.yaml

and rebooting but it got reset back to false on reboot. I didn't see anything in the rancher-system-agent that jumped out as where it was getting its config, and I tried moving it to another location and rebooting but still pulling the old values. Do I need to uninstall rke2 and re-create the cluster?

Hmm. I would have expected it to get picked up if you changed it in the UI, but its possible that it’s waiting for the node to come up before applying any changes to the config. You can add more files in that directory with additional config entries, as you noted that file is managed by the agent.

So if I put in a

/etc/rancher/rke2/config.yaml.d/51-fix-missed-config.yaml

that just changes

protect-kernel-defaults

to true it'll overwrite the false inside the 50 entry, or do I put it before because it'll ignore later after it's set?

yeah, 51-whatever.yaml. They’re merged in alphabetical order IIRC

Ok, thanks.

ah yeah that makes sense. I think it needs to wait for the first update cycle to complete successfully before it can apply any subsequent configuration changes.