docs: hardening: Recommend systemd-sysctl service usage only initially

Make it clear that setting sysctls and using systemd-sysctl should be done only after RKE2 installation and before actual Kubernetes deployment, because Kubernetes components or CNI plugins might modify some sysctls on their own. Ref: rancher#2021 Signed-off-by: Michal Rostecki <[email protected]>
vadorovsky · Nov 15, 2021 · 56f92b2 · 56f92b2
1 parent c7a4e7d
commit 56f92b2
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/docs/security/hardening_guide.md b/docs/security/hardening_guide.md
@@ -64,6 +64,10 @@ sysctls are applied at boot by running the following command during start-up:
 sysctl -p /usr/local/share/rke2/rke2-cis-sysctl.conf
 ```
 
+Please perform this step only on fresh installations, before actually using RKE2 to deploy Kubernetes. Many
+Kubernetes components, including CNI plugins, are setting up their own sysctls. Restarting the
+`systemd-sysctl` service on a running Kubernetes cluster can result in unexpected side-effects.
+
 #### Create the etcd user
 On some Linux distributions, the `useradd` command will not create a group. The `-U` flag is included below to account for that. This flag tells `useradd` to create a group with the same name as the user.