This section contains current known issues and limitations with rke2. If you come across issues with rke2 not documented here, please open a new issue here.
Firewalld conflicts with RKE2's default Canal (Calico + Flannel) networking stack. To avoid unexpected behavior, firewalld should be disabled on systems running RKE2.
This is due to just-in-time kernel module loading of rke2, which is disallowed under Selinux unless the container is privileged. To allow Istio to run under these conditions, it requires two steps:
- Enable CNI as part of the Istio install. Please note that this feature is still in Alpha state at the time of this writing.
Ensure
values.cni.cniBinDir=/opt/cni/binandvalues.cni.cniConfDir=/etc/cni/net.d - After the install is complete, there should be
cni-nodepods in a CrashLoopBackoff. Manually edit their daemonset to includesecurityContext.privileged: trueon theinstall-cnicontainer.
This is also possible to do directly through Rancher, if desired. For more information regarding exact failures with detailed logs when not following these steps, please see Issue 504.
Linux distributions, more and more, are shipping with kernels and userspaces that support cgroups v2,
e.g. since Fedora 31. However, at the time of this writing, the containerd that is built and shipped
with RKE2 is a 1.3.x fork (with back-ported SELinux commits from 1.4.x) which does not support cgroups v2.
Until RKE2 ships with containerd v1.4.x running it on cgroups v2 capable systems requires a little up-front
configuration:
Assuming a systemd-based system, setting the systemd.unified_cgroup_hierarchy=0
kernel parameter will indicate to systemd that it should run with hybrid (cgroups v1 + v2) support.
Combined with the above, setting the systemd.legacy_systemd_cgroup_controller
kernel parameter will indicate to systemd that it should run with legacy (cgroups v1) support.
As these are kernel command-line arguments they must be set in the system bootloader so that they will be
passed to systemd as PID 1 at /sbin/init.
See: