Skip to content

Unable to Enable Project Network Isolation on Imported RKE2/K3s Clusters

Article Number: 000022384

Environment

  • Rancher v2.6+
  • A standalone RKE2 or K3s cluster that is imported into Rancher

Situation

While trying to enable Project Network Isolation (PNI) on an imported RKE2 or K3s Cluster, the following error is shown in the Rancher UI:

enableNetworkPolicy should be false for K3s or rke2 clusters

Resolution

Project Network Isolation (PNI) cannot currently be enabled for imported RKE2 or K3s clusters; instead, network isolation must be implemented at the CNI level (e.g., Canal, Cilium, or Calico) using native Kubernetes NetworkPolicy resources to define default-deny and namespace-scoped rules.

An RFE is open to enable PNI for imported RKE2 and K3s cluster, as tracked in GitHub Issue #54163.