I'm trying to build a RKE2 K8s cluster to run Rancher Manager. I want to try and have a good security posture out of the gate, so I figured I probably want the CIS profile enabled to give me a leg-up on things. Is cis-1.6 the latest/most appropriate for RKE2 - 1.6 is greater than 1.23 so I figured it should be???
Right now I have a 3 node v1.24.10+rke2r1 K8s cluster on Ubuntu 20.04 with the cis-1.6 profile and I've installed Rancher 2.7.1 via Helm using external TLS. Rancher appears to start fine and shows up the local cluster as expected with "Control Plane, Etcd" roles on the three nodes.
I figured I want to add an annotation to this local cluster to indicate that pod security policies are enabled so I can create new projects/namespaces to just run a few key operational things like kured (https://kured.dev) that need more relaxed psps to operate, but I don't appear to get an option to edit (or even view!) the cluster configuration to do so. I'm not running real workloads in this cluster, just the bare minimum I need for operations (kured, logging, CIS scanning). I am planning on building another couple of similar RKE2 clusters for our applications, and I'm hoping that will be smoother sailing (I certainly believe so based on the single instance Docker environment I was playing with to figure out that side of things!)
I'm really struggling to figure out where I am going wrong to get a secure K8s cluster to run Rancher and still be able to do bare minimum administration of it via Rancher itself too.
02/02/2023, 10:04 PM
The local cluster itsn’t managed by Rancher itself, so some things you might expect to be able to do from Rancher if you’re used to managing downstream clusters won’t be available from the UI.
02/03/2023, 5:23 PM
Does this mean that even if I could somehow add the "capabilities.cattle.io/pspEnabled": "true" annotation to the local cluster I wouldn't be able to select the PSP for the projects I create via the UI?
I'm now thinking maybe I should create the namespaces with appropriate PSPs outside Rancher and then just have Fleet deploy the helm charts in to them for me (and that just means I have to evolve things as the pod security policies get retired and replaced in RKE2 down the line)