Skip to content

SUSE KBs

RKE2 cluster provisioning in Rancher with profile: cis-1.6, requires parameter protect-kernel-defaults to true

RKE2 cluster provisioning in Rancher with profile: cis-1.6, requires parameter protect-kernel-defaults to true

Article Number: 000020949

Environment

Rancher 2.6

Situation

When provisioning a new custom RKE2 cluster with Worker CIS Profile 1.6 from Rancher UI, if the parameter "protect-kernel-defaults" is not set to "true", the RKE2 server will exit with error:

RKE2 server error log

#journalctl -fu rke2-server
Starting Rancher Kubernetes Engine v2 (server)...
sh[26475]: + /usr/bin/systemctl is-enabled --quiet nm-cloud-setup.service
sh[26475]: /bin/sh: 1: /usr/bin/systemctl: not found
rke2[26486]: time="2023-01-23T12:11:54Z" level=fatal msg="--protect-kernel-defaults must be true when using --profile=cis-1.6"
Jsystemd[1]: rke2-server.service: Main process exited, code=exited, status=1/FAILURE
 systemd[1]: rke2-server.service: Failed with result 'exit-code'

Cause

When RKE2 starts with the "profile" flag set to cis-1.6, "protect-kernel-defaults" is exposed as a configuration flag for RKE2. This flag has to be set to "true" when provisioning the cluster.

Resolution

How to set flag `protect-kernel-defaults?`

When provisioning the cluster, the "protect-kernel-default" can be set in the Advanced section under Cluster Configuration.

Click ☰ > Cluster Management
On the Clusters page, click Create
Toggle the switch to RKE2/K3s
Custom
Cluster Configuration ==> Advanced
Click the checkbox

Raise error if kernel parameters are different than the expected kubelet defaults