rancher: [BUG] Unable to install/upgrade v102 charts on hardened rke2 cluster

Rancher Server Setup

  • Rancher version: v2.7.2-rc7
  • Installation option (Docker install/Helm Chart): helm
    • If Helm Chart, Kubernetes Cluster and version (RKE1, RKE2, k3s, EKS, etc): rke2
  • Proxy/Cert Details:

Information about the Cluster

  • Kubernetes version: 1.24
  • Cluster Type (Local/Downstream): downstream hardened ec2
    • If downstream, what type of cluster? (Custom/Imported or specify provider for Hosted/Infrastructure Provider):

User Information

  • What is the role of the user logged in? (Admin/Cluster Owner/Cluster Member/Project Owner/Project Member/Custom)
    • If custom, define the set of permissions: admin

Describe the bug Cannot install or upgrade to rancher-monitoring 102.0.0+up40.1.2 on hardened rke2 cluster

To Reproduce

  1. create rke2 hardened cluster
  2. attempt to install monitoring 102.0.0+up40.1.2

Result installation fails

Expected Result installation / upgrade succeeds

Screenshots

Additional context was able to install monitoring using helm install by enabling psps

About this issue

  • Original URL
  • State: closed
  • Created a year ago
  • Comments: 18 (13 by maintainers)

Most upvoted comments

Reviewed @stormqueen1990’s PR https://github.com/rancher/rancher-docs/pull/508 and it LGTM. To try to summarize what we discussed here (apart if there is a UI bug or not - see Ron’s previous message), we must recommend in general (from @prachidamle’s original comment):

  1. On a hardened 1.24 cluster (with charts with PSP enabled).
  2. Migrate all PSPs to PSS/PSA (as documented in @stormqueen1990 blog post - current in development). –> State: cluster is still on a hardened state.
  3. Configure an unrestricted PSP as the default PSP in the cluster (note: this specific step is missing in our docs). –> State: cluster is still on a hardened state due to PSS/PSA.
  4. Upgrade the charts, as described in the docs PRs, with Enable PodSecurityPolicies option = disabled.
  5. Update cluster to 1.25.

Does it sounds right?

CC @cbron

+2
macedogm on Apr 5, 2023

When doing the step 1 the cluster will be on a hardened state with PSS/PSA, so step 2 would be to disable PSP at the cluster level.

+1
macedogm on Apr 4, 2023

Can the users be directed to “unharden” the cluster to unblock this situation and after charts are updated to drop psp’s and the cluster is upgraded to 1.25 then they can apply any hardening back?

No, I wouldn’t recommend this, because it can lead to an insecure cluster (on an expected hardened environment). Plus it opens a window to attacks. We already wrote some info about how to transition and there is also the PR https://github.com/rancher/rancher-docs/pull/508 from @stormqueen1990 with instructions about how to migrate from PSP to PSS/PSA before the upgrade.

+1
macedogm on Apr 4, 2023
Read more comments on GitHub
← rancher: [BUG] tigera-operator fails due to rancher-webhook denying access
rancher: [BUG][EKS][2.6/2.7] Unable to view YAML for downstream EKS clusters →