I'm trying to build a RKE2 K8s cluster to run Rancher Manager. I want to try and have a good security posture out of the gate, so I figured I probably want the CIS profile enabled to give me a leg-up on things. Is cis-1.6 the latest/most appropriate for RKE2 - 1.6 is greater than 1.23 so I figured it should be???
Right now I have a 3 node v1.24.10+rke2r1 K8s cluster on Ubuntu 20.04 with the cis-1.6 profile and I've installed Rancher 2.7.1 via Helm using external TLS. Rancher appears to start fine and shows up the local cluster as expected with "Control Plane, Etcd" roles on the three nodes.
I figured I want to add an annotation to this local cluster to indicate that pod security policies are enabled so I can create new projects/namespaces to just run a few key operational things like kured (
https://kured.dev) that need more relaxed psps to operate, but I don't appear to get an option to edit (or even view!) the cluster configuration to do so. I'm not running real workloads in this cluster, just the bare minimum I need for operations (kured, logging, CIS scanning). I am planning on building another couple of similar RKE2 clusters for our applications, and I'm hoping that will be smoother sailing (I certainly believe so based on the single instance Docker environment I was playing with to figure out that side of things!)
I'm really struggling to figure out where I am going wrong to get a secure K8s cluster to run Rancher and still be able to do bare minimum administration of it via Rancher itself too.