RKE2 cluster provisioning in Rancher with profile: cis-1.6, requires parameter protect-kernel-defaults to true

This document (000020949) is provided subject to the disclaimer at the end of this document.


Rancher 2.6


When provisioning a new custom RKE2 cluster with Worker CIS Profile 1.6 from Rancher UI, if  the parameter  "protect-kernel-defaults"  is not set to "true", the RKE2 server will exit with error: 
RKE2 server error log

#journalctl -fu rke2-server
Starting Rancher Kubernetes Engine v2 (server)...
sh[26475]: + /usr/bin/systemctl is-enabled --quiet nm-cloud-setup.service
sh[26475]: /bin/sh: 1: /usr/bin/systemctl: not found
rke2[26486]: time="2023-01-23T12:11:54Z" level=fatal msg="--protect-kernel-defaults must be true when using --profile=cis-1.6"
Jsystemd[1]: rke2-server.service: Main process exited, code=exited, status=1/FAILURE
 systemd[1]: rke2-server.service: Failed with result 'exit-code'



How to set flag protect-kernel-defaults?

When provisioning the cluster, the "protect-kernel-default" can be set in the  Advanced section under Cluster Configuration.
  1. Click ☰ > Cluster Management
  2. On the Clusters page, click Create
  3. Toggle the switch to RKE2/K3s
  4. Custom
  5. Cluster Configuration ==> Advanced
  6. Click the checkbox
Raise error if kernel parameters are different than the expected kubelet defaults


When  RKE2 starts with the "profile" flag set to cis-1.6, "protect-kernel-defaults" is exposed as a configuration flag for RKE2. This flag has to be set to "true" when provisioning the cluster. 

Additional Information

RKE2 is designed to be "hardened by default" and pass the majority of the Kubernetes CIS controls without modification. There are a few notable exceptions to this that require manual intervention to fully pass the CIS Benchmark. 

CIS Hardening Guide


This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000020949
  • Creation Date: 19-May-2023
  • Modified Date:19-May-2023
    • SUSE Rancher

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center