Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[release-1.20] RKE2 CIS checks expect etcd user on agents #1063

Closed
Martin-Weiss opened this issue May 26, 2021 · 4 comments
Closed

[release-1.20] RKE2 CIS checks expect etcd user on agents #1063

Martin-Weiss opened this issue May 26, 2021 · 4 comments
Assignees
@brandond @rancher-max
Labels
kind/bug Something isn't working
Projects
Development [DEPRECATED]
Milestone
v1.20.8+rke2r1

Comments

@Martin-Weiss
Copy link

Environmental Info:
RKE2 Version:

rke2 version v1.20.7+rke2r2 (ea65147)
go version go1.15.8b5

Node(s) CPU architecture, OS, and Version:
SLES 15 SP2

Cluster Configuration:
3 Server, 14 Agents

Describe the bug:
During deployment of agents we see this in journalctl -u rke2-agent:

May 26 10:51:07 dehwllk8p01n005 systemd[1]: Starting Rancher Kubernetes Engine v2 (agent)...
May 26 10:51:07 dehwllk8p01n005 systemd[1]: Started Rancher Kubernetes Engine v2 (agent).
May 26 10:51:07 dehwllk8p01n005 rke2[37988]: time="2021-05-26T10:51:07+02:00" level=fatal msg="missing required user: unknown user etcd\n"
May 26 10:51:07 dehwllk8p01n005 systemd[1]: rke2-agent.service: Main process exited, code=exited, status=1/FAILURE
May 26 10:51:07 dehwllk8p01n005 systemd[1]: rke2-agent.service: Unit entered failed state.
May 26 10:51:07 dehwllk8p01n005 systemd[1]: rke2-agent.service: Failed with result 'exit-code'.
May 26 10:51:12 dehwllk8p01n005 systemd[1]: rke2-agent.service: Service RestartSec=5s expired, scheduling restart.

This is our config.yaml

private-registry: /etc/rancher/rke2/registries.yaml
token: <token>
server: https://<master-node>:9345
profile: cis-1.6
node-label:
  - "cluster=<clustername>"
  - "role=storage-node"

Steps To Reproduce:

  • Installed RKE2 with cis-1.6 with three masters and add an agent with a similar config.yaml as above

Expected behavior:

  • on agents an etcd user should not be expected or required - we just need that user on the masters / on the etcd nodes.

Actual behavior:

  • rke2 binary expects etcd user on agents
@brandond brandond changed the title missing required user: unknown user etcd on agent in rke2 1.20.7 RKE2 CIS checks expect etcd user on agents May 26, 2021
@brandond brandond changed the title RKE2 CIS checks expect etcd user on agents [release-1.20] RKE2 CIS checks expect etcd user on agents May 26, 2021
@brandond brandond added the kind/bug Something isn't working label May 26, 2021
@brandond brandond added this to To Triage in Development [DEPRECATED] via automation May 26, 2021
@brandond brandond moved this from To Triage to Working in Development [DEPRECATED] May 26, 2021
This was referenced May 26, 2021
Closed
Merged
@brandond brandond moved this from Working to Peer Review in Development [DEPRECATED] May 26, 2021
@brandond
Copy link
Contributor

brandond commented May 26, 2021
edited

Added a callout in the 1.20.7+rke2r2 release notes. Will be fixed in 1.20.8.

@brandond brandond moved this from Peer Review to To Test in Development [DEPRECATED] May 26, 2021
@Fabyao
Copy link

Fabyao commented Jun 10, 2021

@brandond Is there a workaround until release 1.20.8?

@Fabyao
Copy link

Fabyao commented Jun 10, 2021

@brandond Ignore me just seen this in the release notes:
CIS Profile checks require etcd user to be present on agents. As a workaround, ensure that the etcd user exists on all nodes on which you will use the --profile flag, even ones that you do not plan to enable etcd on. This will be fixed in a subsequent patch release.

@rancher-max rancher-max moved this from To Test to Waiting for RC in Development [DEPRECATED] Jun 16, 2021
@rancher-max
Copy link
Contributor

rancher-max commented Jun 22, 2021
edited

Validated in v1.20.8-rc1+rke2r1

  • etcd user is not required anymore on agents
  • clusters still pass cis checks

Development [DEPRECATED] automation moved this from Waiting for RC to Done Issue / Merged PR Jun 22, 2021
@rkgupta76 rkgupta76 mentioned this issue Sep 5, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@brandond brandond

@rancher-max rancher-max

Labels
kind/bug Something isn't working
Projects
No open projects
Development [DEPRECATED]
Done Issue / Merged PR
Milestone
v1.20.8+rke2r1
Development

No branches or pull requests
4 participants
@brandond @Fabyao @Martin-Weiss @rancher-max