Channels
extensions
rancher-extensions
supermicro-sixsq
ozt
os
one-point-x
rio
onlinemeetup
v16-v21-migration
events
onlinetraining
training-1220
training-0110
training-0124
k3s-contributor
submariner
storage
k3os
windows
ci-cd
theranchcast
rfed_ara
nederlands
ukranian
danish
training-0131
masterclass
training-0207
training-0214
terraform-controller
epinio
phillydotnet
swarm
rancher-wrangler
deutsch
russian
chinese
mesos
français
japanese
arm
longhorn-dev
terraform-provider-rke
service-mesh
azure
gcp
academy
random
elemental
espanol
lima
harvester-dev
portugues
kubernetes
kim
hypper
kubewarden
opni
logging
neuvector-security
rancher-setup
developer
office-hours
mexico
cabpr
rke
vsphere
longhorn-storage
k3s
k3d
terraform-provider-rancher2
fleet
amazon
harvester
rke2
s3gw
hobbyfarm
rancher-desktop
general
Title
s
salmon-train-47748
02/02/2023, 8:57 PMI'm trying to build a RKE2 K8s cluster to run Rancher Manager. I want to try and have a good security posture out of the gate, so I figured I probably want the CIS profile enabled to give me a leg-up on things. Is cis-1.6 the latest/most appropriate for RKE2 - 1.6 is greater than 1.23 so I figured it should be???
Right now I have a 3 node v1.24.10+rke2r1 K8s cluster on Ubuntu 20.04 with the cis-1.6 profile and I've installed Rancher 2.7.1 via Helm using external TLS. Rancher appears to start fine and shows up the local cluster as expected with "Control Plane, Etcd" roles on the three nodes.
I figured I want to add an annotation to this local cluster to indicate that pod security policies are enabled so I can create new projects/namespaces to just run a few key operational things like kured (https://kured.dev) that need more relaxed psps to operate, but I don't appear to get an option to edit (or even view!) the cluster configuration to do so. I'm not running real workloads in this cluster, just the bare minimum I need for operations (kured, logging, CIS scanning). I am planning on building another couple of similar RKE2 clusters for our applications, and I'm hoping that will be smoother sailing (I certainly believe so based on the single instance Docker environment I was playing with to figure out that side of things!)
I'm really struggling to figure out where I am going wrong to get a secure K8s cluster to run Rancher and still be able to do bare minimum administration of it via Rancher itself too.
c
creamy-pencil-82913
02/02/2023, 10:04 PMThe local cluster itsn’t managed by Rancher itself, so some things you might expect to be able to do from Rancher if you’re used to managing downstream clusters won’t be available from the UI.
s
salmon-train-47748
02/03/2023, 5:23 PMDoes this mean that even if I could somehow add the "capabilities.cattle.io/pspEnabled": "true" annotation to the local cluster I wouldn't be able to select the PSP for the projects I create via the UI?
I'm now thinking maybe I should create the namespaces with appropriate PSPs outside Rancher and then just have Fleet deploy the helm charts in to them for me (and that just means I have to evolve things as the pod security policies get retired and replaced in RKE2 down the line)