Linkerd-viz namespace-metadata not working on RKE2 cluster

Hello,

I’m trying to install linkerd on a RKE2 cluster.
This cluster is created with a cis-1.23 profile as recommended on the RKE2 website: CIS Hardening Guide | RKE2

When I install linkerd-viz, the namespace-metadata pod starts. I think it tries to add custom labels to the linkerd (or linkerd-viz ?) namespace. But it fails.

ERROR linkerd_extension_init: failed patching namespace: ApiError: admission webhook "rancher.cattle.io.namespaces" denied the request: Unauthorized: Unauthorized (ErrorResponse { status: "Failure", message: "admission webhook \"rancher.cattle.io.namespaces\" denied the request: Unauthorized", reason: "Unauthorized", code: 403 })

The erros is pretty clear, the namesapce can’t be updated beacause Rancher Admission Webhook doesn’t authorize the modification.
However I have no idea how i can get through this problem.

Anyone has an idea ?

Thank you,
Corentin

I understand how constrained environments might deny edition privileges to namespaces. In this particular case, you can delete the namespace-metadata Job and perform what it wants to do manually, which is adding the following metadata to the linkerd-viz namespace:

• linkerd.io/extension: viz label
• pod-security.kubernetes.io/enforce label set to privileged, or if you’re using the linkerd-cni plugin, set to restricted.
• If you’re using a different Prometheus instance than the one provided by default, you should refer to it in the viz.linkerd.io/external-prometheus annotation.

Note to self: we should provide an option to disable this Job!

Hello,

Thank you for the answering my question.
I can delete the job manually but this won’t make my ArgoCD happy.

You’re right, maybe the best option is to provide an option to disable this job.
For now i’ll delete it manually and apply this metadata myself.

I’ve added this ticket asking for help to implement that option

Well thank you for your time.