Test Longhorn deployment on RKE2 v1.25+ with CIS-1.23 profile

This is an expansion of Test Longhorn deployment on RKE2 v1.24- with CIS-1.6 profile, which was created in response to 2292. However, later versions of RKE2 only support CIS-1.23.

Scenario

  1. Prepare 1 control plane node and 3 worker nodes.
  2. Install the latest RKE2 with CIS-1.23 profile on 1 control plane node.
sudo su -

systemctl disable firewalld # On a supporting OS.
systemctl stop firewalld # On a supporting OS.

yum install iscsi-initiator-utils # Or the OS equivalent.
systemctl enable --now iscsid

curl -sfL https://get.rke2.io | sh -

systemctl enable rke2-server.service

cat << EOF > /etc/sysctl.d/60-rke2-cis.conf
vm.panic_on_oom=0
vm.overcommit_memory=1
kernel.panic=10
kernel.panic_on_oops=1
EOF
sudo systemctl restart systemd-sysctl

useradd -r -c "etcd user" -s /sbin/nologin -M etcd

mkdir -p /etc/rancher/rke2/
cat << EOF > /etc/rancher/rke2/config.yaml
profile: "cis-1.23"
EOF

systemctl start rke2-server.service

SERVER_NODE_TOKEN=`cat /var/lib/rancher/rke2/server/node-token`
  1. Install RKE2 with CIS-1.23 profile on 3 worker nodes.
sudo su -

systemctl disable firewalld # On a supporting OS.
systemctl stop firewalld # On a supporting OS.

yum install iscsi-initiator-utils # Or the OS equivalent.
systemctl enable --now iscsid

curl -sfL https://get.rke2.io | INSTALL_RKE2_TYPE="agent" sh -

systemctl enable rke2-agent.service

cat << EOF > /etc/sysctl.d/60-rke2-cis.conf
vm.panic_on_oom=0
vm.overcommit_memory=1
kernel.panic=10
kernel.panic_on_oops=1
EOF
sudo systemctl restart systemd-sysctl

mkdir -p /etc/rancher/rke2/
cat << EOF > /etc/rancher/rke2/config.yaml
server: https://$CONTROL_PLANE_NODE_IP_ADDRESS:9345
token: $SERVER_NODE_TOKEN
profile: "cis-1.23"
EOF

systemctl start rke2-agent.service
  1. Test install Longhorn by helm without problem. (These commands assume a pre-release chart. When testing a released chart, use helm repo add etc.)
git clone https://github.com/longhorn/longhorn.git
cd longhorn
git checkout $VERSION_TO_TEST

# Pod security admission labels are required for CIS-1.23.
kubectl label ns longhorn-system pod-security.kubernetes.io/enforce=privileged
kubectl label ns longhorn-system pod-security.kubernetes.io/enforce-version=latest
kubectl label ns longhorn-system pod-security.kubernetes.io/audit=privileged
kubectl label ns longhorn-system pod-security.kubernetes.io/audit-version=latest
kubectl label ns longhorn-system pod-security.kubernetes.io/warn=privileged
kubectl label ns longhorn-system pod-security.kubernetes.io/warn-version=latest

helm install --namespace longhorn-system longhorn ./chart
  1. Prepare the longhorn-values.yaml.
ingress:
  enabled: true
  annotations:
    foo: bar
  1. Test upgrade Longhorn by helm without problem.
helm upgrade --namespace longhorn-system --values longhorn-values.yaml longhorn ./chart
  1. Verify the upgrade “worked” by checking for the deployed ingress.
kubectl get ingress -n longhorn-system
  1. Test uninstall Longhorn by helm without problem.
helm uninstall longhorn --namespace longhorn-system
  1. Test install Longhorn by kubectl without problem.
kubectl apply -f deploy/longhorn.yaml
  1. Test uninstall Longhorn by kubectl without problem.
kubectl apply -f uninstall/uninstall.yaml
kubectl delete -f deploy/longhorn.yaml
kubectl delete -f uninstall/uninstall.yaml
[Edit]