Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot install RKE2 bootstrap and control-plane providers into an RKE2 cluster with cisProfile set #384

Closed
AshleyDumaine opened this issue Jul 31, 2024 · 0 comments · Fixed by #385
Closed

Cannot install RKE2 bootstrap and control-plane providers into an RKE2 cluster with cisProfile set #384

AshleyDumaine opened this issue Jul 31, 2024 · 0 comments · Fixed by #385
Labels
kind/bug Something isn't working priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. triage/accepted Indicates an issue or PR is ready to be actively worked on.

Comments

@AshleyDumaine
Copy link
Contributor

AshleyDumaine commented Jul 31, 2024
edited
Loading

What happened:
I used this provider to create an RKE2 cluster with the cisProfile set, but was unable to then pivot my management cluster to it since clusterctl init --bootstrap rke2 --control-plane rke2 was erroring out due to no securityContext being set for the manager pods for the rke2-bootstrap-controller-manager and rke2-control-plane-manager:

$ clusterctl init --bootstrap rke2 --control-plane rke2 --kubeconfig=kubeconfig-rke2-mgmt-cluster.yaml
Fetching providers
Skipping installing cert-manager as it is already installed
Installing Provider="bootstrap-rke2" Version="v0.5.0" TargetNamespace="rke2-bootstrap-system"
[KubeAPIWarningLogger] would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "manager" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "manager" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "manager" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "manager" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
Installing Provider="control-plane-rke2" Version="v0.5.0" TargetNamespace="rke2-control-plane-system"
[KubeAPIWarningLogger] would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "manager" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "manager" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "manager" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "manager" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

How to reproduce it:

  • From an existing management cluster, create an RKE2 cluster (I used --kubernetes-version v1.29.1+rke2r1) with cis-1.23 for both RKE2ConfigTemplate.spec.template.spec.agentConfig.cisProfile and RKE2ControlPlane.spec.agentConfig.cisProfile
  • obtain the generated kubeconfig for the new cluster: clusterctl get kubeconfig rke2-mgmt-cluster > kubeconfig.yaml
  • clusterctl init --kubeconfig=kubeconfig.yaml
  • clusterctl init --bootstrap rke2 --control-plane rke2 --kubeconfig=kubeconfig.yaml <-- this part will fail due to missing securityContexts

Anything else you would like to add:
I was able to successfully install the bootstrap and control-plane providers and then pivot my management cluster into the RKE2 cluster by using a local version of the providers that included this in both manager containers:

        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
              - ALL
          runAsNonRoot: true
          seccompProfile:
            type: RuntimeDefault

Environment:

  • rke provider version: v0.5.0
@AshleyDumaine AshleyDumaine added kind/bug Something isn't working needs-priority Indicates an issue or PR needs a priority assigning to it needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Jul 31, 2024
@AshleyDumaine AshleyDumaine mentioned this issue Jul 31, 2024
Merged
4 tasks
@furkatgofurov7 furkatgofurov7 added priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-priority Indicates an issue or PR needs a priority assigning to it needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Aug 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Something isn't working priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

add securityContext to the manager containers AshleyDumaine/cluster-api-provider-rke2
2 participants
@AshleyDumaine @furkatgofurov7