[RFE] Correct Configuration of kubelet-arg in Rancher Cluster Templates

[shabazzfsher]

Feature Request

Request description: The customer has reported that within the Rancher Cluster Templates, the placement of kubelet-arg configurations in the cluster.yaml file seems to be either incorrect or not optimal.

Additional notes: Customer propose an enhancement to the Rancher Cluster Templates that ensures kubelet-arg can be set accurately and effectively, reflecting in the appropriate section of the cluster.yaml.

Example:

apiVersion: provisioning.cattle.io/v1
kind: Cluster
metadata:
  name: ds01
  namespace: fleet-default
spec:
  defaultPodSecurityAdmissionConfigurationTemplateName: rancher-privileged
  rkeConfig:
    machineGlobalConfig:
      disable:
      - rke2-ingress-nginx 
    tls-san:
      - <domain name here>
    machineSelectorConfig:
    - config:
        kubelet-arg: 
         - tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
         - authorization-mode=Webhook
         - streaming-connection-idle-timeout=5m

[zackbradys]

Hey @shabazzfsher, could you confirm with the customer what improvements they would like to see to the kubelet-arg?

Currently, you are able to set kubelet-args in thevalues, under cluster.config.kubelet_arg.

https://github.com/rancherfederal/rancher-cluster-templates/blob/f18e0f2bbfc1be4d4b1d44c75bb7985fb62aeaff/charts/cluster-templates/values.yaml#L47-L48

[shabazzfsher]

Hi Zack, There seems to be a little misunderstanding about the proper location for the kubelet. The customer has identified the correct location in the provided .yaml example. They are now seeking to verify the cluster specification's correctness to demonstrate that the current approach is ineffective.

[bcdurden]

kubelet-arg is currently part of the machineGlobalConfig map. As it is a map definitely managed by the upstream Rancher CRD, it cannot be changed from its currently state. While it does inhibit kubelet configs for individual nodes as it is a cluster-wide setting, this use-case can be handled via cloud-init if necessary.

[bcdurden]

Appears that user has figured out the issue. Closing

[zlmitchell]

@bcdurden This is not closed or resolved. This CRD is Clusters provisioning.cattle.io/v1 kubelet-arg is not directly under the machineGlobalConfig it is instead under spec.rkeConfig.machineSelectorConfig.[]config.kubelet-arg

This is the correct location for the kubelet-args. https://github.com/rancherfederal/rancher-cluster-templates/blob/f18e0f2bbfc1be4d4b1d44c75bb7985fb62aeaff/charts/cluster-templates/templates/cluster.yaml#L186

There is no valid configuration under spec.rkeConfig.machineGlobalConfig.kubelet-arg which is what the helmchart does.

Also note https://ranchermanager.docs.rancher.com/reference-guides/cluster-configuration/rancher-server-configuration/rke2-cluster-configuration#cluster-config-file-reference protect-kernel-defaults is under machineSelectorConfig

[zackbradys]

hey @zlmitchell, the only difference between machineGlobalConfig and machineSelectorConfig is if it gets applied to all nodes or selected nodes so the kubelet-arg or any other configuration option will work in either map.

We don't have support for machineSelectorConfig in the helm chart yet, but I'm currently working on adding machineSelectorConfig, machineSelectorFiles, and a few more changes this week. Let me know if this makes sense!

[zlmitchell]

Can you reopen this issue as it is still under development?

[zackbradys]

hey @zlmitchell, issue is reopened! when the new helm chart version is released, please test and validate.

[zackbradys]

Closing as resolved per the latest releases.