https://rancher.com/ logo
#rke2
Title
r

rapid-helmet-86074

07/19/2022, 7:34 PM
Trying to experiment with deploying RKE2 through the UI now that it's officially supported and turn on all the security knobs available. Using Rancher 2.6.6 UI, I tried to deploy to a custom downstream cluster RKE2 v1.22.10+rke2r2, Cloud Provider (None), Container Network calico, Default Pod Security Policy restricted-noroot, Worker CIS Profile cis-1.6, checked Project Network Isolation and left CoreDNS, NGINX Ingress, & Metrics Server checked. I didn't touch anything under the other tabs. It failed with rancher-system-agent spinning on no certificate files existing and no RKE2 listening on any TCP or UDP ports. I tried creating etcd user on control plane/etcd nodes & put the rke2-cis-sysctl.conf from a different install in /etc/sysctl.d/60-rke2-cis.conf and rebooted all downstream nodes. Still same rancher-system-agent error but I belatedly remembered to check that rke2-server service is running so checked its logs and aside from it saying there's no nm-cloud-setup.service for systemctl to enable (which I assume is harmless), it's appearing to error out on fatal error
--protect-kernel-defaults must be true when using --profile=cis-1.6
, which I thought got set automatically when profile was set to cis-1.6. So my question is did I mess something up with a conflict like the default pod security policy? Is CIS-1.6 not supported? Something else? Should I file a bug?
c

creamy-pencil-82913

07/19/2022, 7:45 PM
r

rapid-helmet-86074

07/19/2022, 7:47 PM
Ah, didn't see that option. So checking that would set --protect-kernel-defaults to true and if I don't do that it won't do it even with CIS 1.6 profile set? So at this point I need to manually fix the rke2-server.service files to add the parameter on my control plane nodes I assume. Do I need to add that to my worker nodes rke2-agent.service files too or can I do it centrally by editing the cluster or something?
c

creamy-pencil-82913

07/19/2022, 7:51 PM
I believe that if you edit that on the cluster it will sync that to the config on the node.
r

rapid-helmet-86074

07/19/2022, 7:51 PM
Ok, I'll try that and see. If it doesn't sync is that needed on the agents as well as the control plane or just control plane?
c

creamy-pencil-82913

07/19/2022, 7:52 PM
everywhere
👍 1
r

rapid-helmet-86074

07/20/2022, 4:51 PM
No luck changing in UI, can't get it to pull it. I tried changing it in
/etc/rancher/rke2/config.yaml.d/50-rancher.yaml
and rebooting but it got reset back to false on reboot. I didn't see anything in the rancher-system-agent that jumped out as where it was getting its config, and I tried moving it to another location and rebooting but still pulling the old values. Do I need to uninstall rke2 and re-create the cluster?
c

creamy-pencil-82913

07/20/2022, 5:21 PM
Hmm. I would have expected it to get picked up if you changed it in the UI, but its possible that it’s waiting for the node to come up before applying any changes to the config. You can add more files in that directory with additional config entries, as you noted that file is managed by the agent.
r

rapid-helmet-86074

07/20/2022, 5:29 PM
So if I put in a
/etc/rancher/rke2/config.yaml.d/51-fix-missed-config.yaml
that just changes
protect-kernel-defaults
to true it'll overwrite the false inside the 50 entry, or do I put it before because it'll ignore later after it's set?
c

creamy-pencil-82913

07/20/2022, 5:49 PM
yeah, 51-whatever.yaml. They’re merged in alphabetical order IIRC
r

rapid-helmet-86074

07/20/2022, 5:49 PM
Ok, thanks.
For anyone else wanting to know, adding the 51-whatever.yaml on my first control plane node fixed it so that it continued and then the rest of the cluster checked with the server and came up fine without me adding to any of the others (and 50-rancher.yaml fixed itself on the first control plane node too).
c

creamy-pencil-82913

07/20/2022, 9:03 PM
ah yeah that makes sense. I think it needs to wait for the first update cycle to complete successfully before it can apply any subsequent configuration changes.
👍 1
114 Views