Trying to experiment with deploying RKE2 through the UI now that it's officially supported and turn on all the security knobs available. Using Rancher 2.6.6 UI, I tried to deploy to a custom downstream cluster RKE2 v1.22.10+rke2r2, Cloud Provider (None), Container Network calico, Default Pod Security Policy restricted-noroot, Worker CIS Profile cis-1.6, checked Project Network Isolation and left CoreDNS, NGINX Ingress, & Metrics Server checked. I didn't touch anything under the other tabs. It failed with rancher-system-agent spinning on no certificate files existing and no RKE2 listening on any TCP or UDP ports. I tried creating etcd user on control plane/etcd nodes & put the rke2-cis-sysctl.conf from a different install in /etc/sysctl.d/60-rke2-cis.conf and rebooted all downstream nodes. Still same rancher-system-agent error but I belatedly remembered to check that rke2-server service is running so checked its logs and aside from it saying there's no nm-cloud-setup.service for systemctl to enable (which I assume is harmless), it's appearing to error out on fatal error

--protect-kernel-defaults must be true when using --profile=cis-1.6

, which I thought got set automatically when profile was set to cis-1.6. So my question is did I mess something up with a conflict like the default pod security policy? Is CIS-1.6 not supported? Something else? Should I file a bug?

Ah, didn't see that option. So checking that would set --protect-kernel-defaults to true and if I don't do that it won't do it even with CIS 1.6 profile set? So at this point I need to manually fix the rke2-server.service files to add the parameter on my control plane nodes I assume. Do I need to add that to my worker nodes rke2-agent.service files too or can I do it centrally by editing the cluster or something?

I believe that if you edit that on the cluster it will sync that to the config on the node.

Ok, I'll try that and see. If it doesn't sync is that needed on the agents as well as the control plane or just control plane?

everywhere

No luck changing in UI, can't get it to pull it. I tried changing it in

/etc/rancher/rke2/config.yaml.d/50-rancher.yaml

and rebooting but it got reset back to false on reboot. I didn't see anything in the rancher-system-agent that jumped out as where it was getting its config, and I tried moving it to another location and rebooting but still pulling the old values. Do I need to uninstall rke2 and re-create the cluster?

Hmm. I would have expected it to get picked up if you changed it in the UI, but its possible that it’s waiting for the node to come up before applying any changes to the config. You can add more files in that directory with additional config entries, as you noted that file is managed by the agent.

So if I put in a

/etc/rancher/rke2/config.yaml.d/51-fix-missed-config.yaml

that just changes

protect-kernel-defaults

to true it'll overwrite the false inside the 50 entry, or do I put it before because it'll ignore later after it's set?

yeah, 51-whatever.yaml. They’re merged in alphabetical order IIRC

Ok, thanks.

ah yeah that makes sense. I think it needs to wait for the first update cycle to complete successfully before it can apply any subsequent configuration changes.