Skip to content

RKE2 cluster provisioning in Rancher with profile: cis-1.6, requires parameter protect-kernel-defaults to true

This document (000020949) is provided subject to the disclaimer at the end of this document.

Environment

Rancher 2.6

Situation

When provisioning a new custom RKE2 cluster with Worker CIS Profile 1.6 from Rancher UI, if  the parameter  "protect-kernel-defaults"  is not set to "true", the RKE2 server will exit with error:

RKE2 server error log

#journalctl -fu rke2-server
Starting Rancher Kubernetes Engine v2 (server)...
sh[26475]: + /usr/bin/systemctl is-enabled --quiet nm-cloud-setup.service
sh[26475]: /bin/sh: 1: /usr/bin/systemctl: not found
rke2[26486]: time="2023-01-23T12:11:54Z" level=fatal msg="--protect-kernel-defaults must be true when using --profile=cis-1.6"
Jsystemd[1]: rke2-server.service: Main process exited, code=exited, status=1/FAILURE
 systemd[1]: rke2-server.service: Failed with result 'exit-code'

Resolution

How to set flag protect-kernel-defaults?

When provisioning the cluster, the "protect-kernel-default" can be set in the  Advanced section under Cluster Configuration.

  1. Click ☰ > Cluster Management
  2. On the Clusters page, click Create
  3. Toggle the switch to RKE2/K3s
  4. Custom
  5. Cluster Configuration ==> Advanced
  6. Click the checkbox
Raise error if kernel parameters are different than the expected kubelet defaults

Cause

When  RKE2 starts with the "profile" flag set to cis-1.6, " protect-kernel-defaults" is exposed as a configuration flag for RKE2. This flag has to be set to "true" when provisioning the cluster.

Additional Information

RKE2 is designed to be "hardened by default" and pass the majority of the Kubernetes CIS controls without modification. There are a few notable exceptions to this that require manual intervention to fully pass the CIS Benchmark.

CIS Hardening Guide

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.