SUSE Support

Here When You Need Us

RKE2 cluster provisioning in Rancher with profile: cis-1.6, requires parameter protect-kernel-defaults to true

This document (000020949) is provided subject to the disclaimer at the end of this document.

Environment

Rancher 2.6

Situation

When provisioning a new custom RKE2 cluster with Worker CIS Profile 1.6 from Rancher UI, if  the parameter  "protect-kernel-defaults"  is not set to "true", the RKE2 server will exit with error: 
 
RKE2 server error log

#journalctl -fu rke2-server
Starting Rancher Kubernetes Engine v2 (server)...
sh[26475]: + /usr/bin/systemctl is-enabled --quiet nm-cloud-setup.service
sh[26475]: /bin/sh: 1: /usr/bin/systemctl: not found
rke2[26486]: time="2023-01-23T12:11:54Z" level=fatal msg="--protect-kernel-defaults must be true when using --profile=cis-1.6"
Jsystemd[1]: rke2-server.service: Main process exited, code=exited, status=1/FAILURE
 systemd[1]: rke2-server.service: Failed with result 'exit-code'





 

Resolution

How to set flag protect-kernel-defaults?

When provisioning the cluster, the "protect-kernel-default" can be set in the  Advanced section under Cluster Configuration.
  1. Click ☰ > Cluster Management
  2. On the Clusters page, click Create
  3. Toggle the switch to RKE2/K3s
  4. Custom
  5. Cluster Configuration ==> Advanced
  6. Click the checkbox
Raise error if kernel parameters are different than the expected kubelet defaults

Cause

When  RKE2 starts with the "profile" flag set to cis-1.6, "protect-kernel-defaults" is exposed as a configuration flag for RKE2. This flag has to be set to "true" when provisioning the cluster. 

Additional Information


RKE2 is designed to be "hardened by default" and pass the majority of the Kubernetes CIS controls without modification. There are a few notable exceptions to this that require manual intervention to fully pass the CIS Benchmark. 

CIS Hardening Guide
 

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000020949
  • Creation Date: 23-Jan-2023
  • Modified Date:19-May-2023
    • SUSE Rancher

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

tick icon

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

tick icon

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

tick icon

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.