RKE2 Config not working in 1.25+

[jason-w-stanley]

Our team has been using mostly the same config for RKE2 versions 1.21.x -> 1.24.x without issue. With RKE2 1.25.x we removed the PodSecurityPolicy admission plugin and changed the CIS profile version to 1.23, however kubelet will not start. Removing the additional flags from the kublet args allows it start but breaks some security checks. We see the same behavior for other components if we remove the additional flags, then the components become healthy. Should we be setting these flags in a different way, via the --config option and file? Below is the config.yaml

token: "ageneratedtoken"
cloud-provider-name: "aws"
node-taint :
 - 'node-role.kubernetes.io/control-plane:NoSchedule'
tls-san:
- rke2-module-unittest-cluster-lb-45a20f9384277da0.elb.us-gov-east-1.amazonaws.com
profile: "cis-1.23"
write-kubeconfig-mode: "0640"
kube-controller-manager-arg:
  - "tls-min-version=VersionTLS12"
  - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
  - "feature-gates=CSIMigrationAWS=false"
  - "use-service-account-credentials=true"
kube-scheduler-arg:
  - "tls-min-version=VersionTLS12"
  - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
kube-apiserver-arg:
  - "tls-min-version=VersionTLS12"
  - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
  - "enable-admission-plugins=NodeRestriction,ValidatingAdmissionWebhook"
  - "request-timeout=300s"
  - "feature-gates=CSIMigrationAWS=false"
kubelet-arg:
  - "streaming-connection-idle-timeout=5m"
  - "feature-gates=CSIMigrationAWS=false"
audit-policy-file:
  - "/var/lib/rancher/rke2/server/policy/lsre-audit-policy.yaml"
etcd-extra-env:
  - "ETCD_AUTO_TLS=false"
  - "ETCD_PEER_AUTO_TLS=false"

See a bunch of warnings about setting config via flags and then kubelet exits and repeats
journalctl -fu rke2-server

un 19 14:33:44 ip-10-101-4-218.us-gov-east-1.compute.internal rke2[4474]: time="2023-06-19T14:33:44Z" level=error msg="Kubelet exited: exit status 1"
Jun 19 14:33:45 ip-10-101-4-218.us-gov-east-1.compute.internal rke2[4474]: {"level":"warn","ts":"2023-06-19T14:33:45.522Z","logger":"etcd-client","caller":"[email protected]/retry_interceptor.go:62","msg":"retrying of unary invoker failed","target":"etcd-endpoints://0xc0004c48c0/127.0.0.1:2379","attempt":0,"error":"rpc error: code = DeadlineExceeded desc = latest balancer error: last connection error: connection error: desc = \"transport: Error while dialing dial tcp 127.0.0.1:2379: connect: connection refused\""}
Jun 19 14:33:49 ip-10-101-4-218.us-gov-east-1.compute.internal rke2[5336]: Flag --volume-plugin-dir has been deprecated, This parameter should be set via the config file specified by the Kubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.
Jun 19 14:33:49 ip-10-101-4-218.us-gov-east-1.compute.internal rke2[5336]: Flag --file-check-frequency has been deprecated, This parameter should be set via the config file specified by the Kubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.
Jun 19 14:33:49 ip-10-101-4-218.us-gov-east-1.compute.internal rke2[5336]: Flag --sync-frequency has been deprecated, This parameter should be set via the config file specified by the Kubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.
Jun 19 14:33:49 ip-10-101-4-218.us-gov-east-1.compute.internal rke2[5336]: Flag --eviction-hard has been deprecated, This parameter should be set via the config file specified by the Kubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.
Jun 19 14:33:49 ip-10-101-4-218.us-gov-east-1.compute.internal rke2[5336]: Flag --eviction-minimum-reclaim has been deprecated, This parameter should be set via the config file specified by the Kubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.
.
. lots of flag deprecations warnings
.
.Jun 19 14:33:49 ip-10-101-4-218.us-gov-east-1.compute.internal rke2[4474]: time="2023-06-19T14:33:49Z" level=error msg="Kubelet exited: exit status 1"

kublet.log

Running on machine: ip-10-101-4-218
Binary: Built with gc go1.19.9 X:boringcrypto for linux/amd64
Log line format: [IWEF]mmdd hh:mm:ss.uuuuuu threadid file:line] msg
Log file created at: 2023/06/19 14:54:27
Running on machine: ip-10-101-4-218
Binary: Built with gc go1.19.9 X:boringcrypto for linux/amd64
Log line format: [IWEF]mmdd hh:mm:ss.uuuuuu threadid file:line] msg
Log file created at: 2023/06/19 14:54:32
Running on machine: ip-10-101-4-218
Binary: Built with gc go1.19.9 X:boringcrypto for linux/amd64
Log line format: [IWEF]mmdd hh:mm:ss.uuuuuu threadid file:line] msg

[jason-w-stanley]

Removing additional config flags for components works fine and cluster components start and HA cluster created without issue

token: "ageneratedtoken"
cloud-provider-name: "aws"
node-taint :
 - 'node-role.kubernetes.io/control-plane:NoSchedule'
tls-san:
- rke2-module-unittest-cluster-lb-a34404696aaeb04c.elb.us-gov-east-1.amazonaws.com
profile: "cis-1.23"

[brandond]

Yes, you had some options in there that were no longer supported by the kubelet as of 1.25. If you add alsologtostderr=true to the kubelet args, you'd probably see that show up in the log output. Some errors early in the kubelet startup process (in particular those relating to flag parsing and validation) only go to stderr, not the log file.

[jason-w-stanley]

Copy, so going forward (1.25 and >) use --config flag and add to a config file for all components?

adding the lasologtostderr=true to see what flags are failing

[jason-w-stanley]

looking at https://v1-25.docs.kubernetes.io/docs/reference/command-line-tools-reference/kubelet/

both the flags below are listed as DEPRECATED but should still be valid

kubelet-arg:
  - "streaming-connection-idle-timeout=5m"
  - "feature-gates=CSIMigrationAWS=false"

Maybe I am missing something?

[brandond]

Copy, so going forward (1.25 and >) use --config flag and add to a config file for all components?

No, use the flag deprecation warnings. If you use a config file, you have to pass ALL the config via the file, as it ignores flags - and we still do all of our configuration via flags.

both the flags below are listed as DEPRECATED but should still be valid

Yeah, those look OK. Can you paste the full logs from starting with the kubelet set to logtostderr=true or alsologtostderr=true? It's not liking something about your flags, but its hard to tell what.

[jason-w-stanley]

will do, just note removed - "feature-gates=CSIMigrationAWS=false" from kubelet, then healthy, also removed from apiserver and controller for them to be healthy. Cluster is now up with following config

oken: "ageneratedtoken"
cloud-provider-name: "aws"
node-taint :
 - 'node-role.kubernetes.io/control-plane:NoSchedule'
tls-san:
- rke2-module-unittest-cluster-lb-901fa758403caedc.elb.us-gov-east-1.amazonaws.com
profile: "cis-1.23"
# LSRE RKE2 DISA STIG disa-stig-v1r6 config settings START
write-kubeconfig-mode: "0640"
kube-controller-manager-arg:
  - "tls-min-version=VersionTLS12"
  - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
  - "use-service-account-credentials=true"
kube-scheduler-arg:
  - "tls-min-version=VersionTLS12"
  - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
kube-apiserver-arg:
  - "tls-min-version=VersionTLS12"
  - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
  - "enable-admission-plugins=NodeRestriction,ValidatingAdmissionWebhook"
  - "request-timeout=300s"
kubelet-arg:
  - "alsologtostderr=true"
  - "streaming-connection-idle-timeout=5m"
  - "protect-kernel-defaults=true"
audit-policy-file:
  - "/var/lib/rancher/rke2/server/policy/lsre-audit-policy.yaml"
etcd-extra-env:
  - "ETCD_AUTO_TLS=false"
  - "ETCD_PEER_AUTO_TLS=false"

[jason-w-stanley]

Added back feature-gates flag with CSIMigrationAWS=false

kubelet-arg:
  - "feature-gates=CSIMigrationAWS=false"
  - "alsologtostderr=true"
  - "streaming-connection-idle-timeout=5m"
  - "protect-kernel-defaults=true"

kubelet now fails to start.

turned on alsologtostderr but dont see anything in kubelet.log
it is still repeating the same message as before

Binary: Built with gc go1.19.9 X:boringcrypto for linux/amd64
Log line format: [IWEF]mmdd hh:mm:ss.uuuuuu threadid file:line] msg
Log file created at: 2023/06/21 17:26:43
Running on machine: ip-10-101-4-217
Binary: Built with gc go1.19.9 X:boringcrypto for linux/amd64
Log line format: [IWEF]mmdd hh:mm:ss.uuuuuu threadid file:line] msg
Log file created at: 2023/06/21 17:26:48
Running on machine: ip-10-101-4-217
Binary: Built with gc go1.19.9 X:boringcrypto for linux/amd64
Log line format: [IWEF]mmdd hh:mm:ss.uuuuuu threadid file:line] msg
Log file created at: 2023/06/21 17:26:53
Running on machine: ip-10-101-4-217
Binary: Built with gc go1.19.9 X:boringcrypto for linux/amd64
Log line format: [IWEF]mmdd hh:mm:ss.uuuuuu threadid file:line] msg

the below repeats

journalctl -u rke2-server | grep -i kubelet

Jun 21 17:40:32 ip-10-101-4-217.us-gov-east-1.compute.internal rke2[4928]: Flag --file-check-frequency has been deprecated, This parameter should be set via the config file specified by the Kubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.
Jun 21 17:40:32 ip-10-101-4-217.us-gov-east-1.compute.internal rke2[4928]: Flag --sync-frequency has been deprecated, This parameter should be set via the config file specified by theKubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.
Jun 21 17:40:32 ip-10-101-4-217.us-gov-east-1.compute.internal rke2[4928]: Flag --cloud-provider has been deprecated, will be removed in 1.25 or later, in favor of removing cloud provider code from Kubelet.
Jun 21 17:40:32 ip-10-101-4-217.us-gov-east-1.compute.internal rke2[4928]: Flag --cloud-config has been deprecated, will be removed in 1.25 or later, in favor of removing cloud provider code from Kubelet.
Jun 21 17:40:32 ip-10-101-4-217.us-gov-east-1.compute.internal rke2[4928]: Flag --address has been deprecated, This parameter should be set via the config file specified by the Kubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.
Jun 21 17:40:32 ip-10-101-4-217.us-gov-east-1.compute.internal rke2[4928]: Flag --anonymous-auth has been deprecated, This parameter should be set via the config file specified by theKubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.
Jun 21 17:40:32 ip-10-101-4-217.us-gov-east-1.compute.internal rke2[4928]: Flag --authentication-token-webhook has been deprecated, This parameter should be set via the config file specified by the Kubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.
Jun 21 17:40:32 ip-10-101-4-217.us-gov-east-1.compute.internal rke2[4928]: Flag --authorization-mode has been deprecated, This parameter should be set via the config file specified bythe Kubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.
Jun 21 17:40:32 ip-10-101-4-217.us-gov-east-1.compute.internal rke2[4928]: Flag --cgroup-driver has been deprecated, This parameter should be set via the config file specified by the Kubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.
Jun 21 17:40:32 ip-10-101-4-217.us-gov-east-1.compute.internal rke2[4928]: Flag --client-ca-file has been deprecated, This parameter should be set via the config file specified by theKubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.
Jun 21 17:40:32 ip-10-101-4-217.us-gov-east-1.compute.internal rke2[4928]: Flag --cluster-dns has been deprecated, This parameter should be set via the config file specified by the Kubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.
Jun 21 17:40:32 ip-10-101-4-217.us-gov-east-1.compute.internal rke2[4928]: Flag --cluster-domain has been deprecated, This parameter should be set via the config file specified by theKubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.
Jun 21 17:40:32 ip-10-101-4-217.us-gov-east-1.compute.internal rke2[4928]: Flag --containerd has been deprecated, This is a cadvisor flag that was mistakenly registered with the Kubelet. Due to legacy concerns, it will follow the standard CLI deprecation timeline before being removed.
Jun 21 17:40:32 ip-10-101-4-217.us-gov-east-1.compute.internal rke2[4928]: Flag --eviction-hard has been deprecated, This parameter should be set via the config file specified by the Kubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.
Jun 21 17:40:32 ip-10-101-4-217.us-gov-east-1.compute.internal rke2[4928]: Flag --eviction-minimum-reclaim has been deprecated, This parameter should be set via the config file specified by the Kubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.
Jun 21 17:40:32 ip-10-101-4-217.us-gov-east-1.compute.internal rke2[4928]: Flag --fail-swap-on has been deprecated, This parameter should be set via the config file specified by the Kubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.
Jun 21 17:40:32 ip-10-101-4-217.us-gov-east-1.compute.internal rke2[4928]: Flag --feature-gates has been deprecated, This parameter should be set via the config file specified by the Kubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.
Jun 21 17:40:32 ip-10-101-4-217.us-gov-east-1.compute.internal rke2[4928]: Flag --healthz-bind-address has been deprecated, This parameter should be set via the config file specified by the Kubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.
Jun 21 17:40:32 ip-10-101-4-217.us-gov-east-1.compute.internal rke2[4928]: Flag --pod-manifest-path has been deprecated, This parameter should be set via the config file specified by the Kubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.
Jun 21 17:40:32 ip-10-101-4-217.us-gov-east-1.compute.internal rke2[4928]: Flag --protect-kernel-defaults has been deprecated, This parameter should be set via the config file specified by the Kubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.
Jun 21 17:40:32 ip-10-101-4-217.us-gov-east-1.compute.internal rke2[4928]: Flag --read-only-port has been deprecated, This parameter should be set via the config file specified by theKubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.
Jun 21 17:40:32 ip-10-101-4-217.us-gov-east-1.compute.internal rke2[4928]: Flag --register-with-taints has been deprecated, This parameter should be set via the config file specified by the Kubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.
Jun 21 17:40:32 ip-10-101-4-217.us-gov-east-1.compute.internal rke2[4928]: Flag --resolv-conf has been deprecated, This parameter should be set via the config file specified by the Kubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.
Jun 21 17:40:32 ip-10-101-4-217.us-gov-east-1.compute.internal rke2[4928]: Flag --serialize-image-pulls has been deprecated, This parameter should be set via the config file specifiedby the Kubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.
Jun 21 17:40:32 ip-10-101-4-217.us-gov-east-1.compute.internal rke2[4928]: Flag --streaming-connection-idle-timeout has been deprecated, This parameter should be set via the config file specified by the Kubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.
Jun 21 17:40:32 ip-10-101-4-217.us-gov-east-1.compute.internal rke2[4928]: Flag --tls-cert-file has been deprecated, This parameter should be set via the config file specified by the Kubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.
Jun 21 17:40:32 ip-10-101-4-217.us-gov-east-1.compute.internal rke2[4928]: Flag --tls-private-key-file has been deprecated, This parameter should be set via the config file specified by the Kubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.
Jun 21 17:40:32 ip-10-101-4-217.us-gov-east-1.compute.internal rke2[4482]: time="2023-06-21T17:40:32Z" level=error msg="Kubelet exited: exit status 1"

[jason-w-stanley]

found these logs
journalctl -u rke2-server | grep -i CSIMigrationAWS

Jun 21 18:45:08 ip-10-101-4-217.us-gov-east-1.compute.internal rke2[11347]: E0621 18:45:08.790541   11347 run.go:74] "command failed" err="failed to set feature gates from initial flags-based config: cannot set feature gate CSIMigrationAWS to false, feature is locked to true"

So do I understand the documentation correctly, the CSIMigrationAWS flag should default to true in 1.25 but you can override to false?

https://v1-25.docs.kubernetes.io/docs/reference/command-line-tools-reference/kubelet/

CSIMigration=true|false (BETA - default=true)
CSIMigrationAWS=true|false (BETA - default=true)
CSIMigrationAzureFile=true|false (BETA - default=true)
CSIMigrationGCE=true|false (BETA - default=true)
CSIMigrationPortworx=true|false (ALPHA - default=false)
CSIMigrationRBD=true|false (ALPHA - default=false)
CSIMigrationvSphere=true|false (BETA - default=false)

Then in 1.26 it is removed and you must provide implementation?

https://v1-26.docs.kubernetes.io/docs/reference/command-line-tools-reference/kubelet/

CSIMigrationPortworx=true|false (BETA - default=false)
CSIMigrationRBD=true|false (ALPHA - default=false)
CSINodeExpandSecret=true|false (ALPHA - default=false)
CSIVolumeHealth=true|false (ALPHA - default=false)

[jason-w-stanley]

Well I think I found answer, but would appreciate confirmation as seems to be some conflict in documentation of the status of the feature flag

https://v1-25.docs.kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/

states the flag is GA in 1.25 which means you can't disable and would match the log error seen above

the kubelet cli docs say its BETA

https://v1-25.docs.kubernetes.io/docs/reference/command-line-tools-reference/kubelet/

[brandond]

The behavior matches the feature-gates documentation; I suspect it's the kubelet docs that are wrong. Is that enough confirmation?

[jason-w-stanley]

yep, thanks much