How does RKE2 limit pids in a container?

[ertanci]

RKE2 Version:
v1.24.9+rke2r2

Node(s) CPU architecture, OS, and Version:
4.18.0-372.32.1.el8_6.x86_64 #1 SMP Fri Oct 7 12:35:10 EDT 2022 x86_64 x86_64 x86_64 GNU/Linux

Cluster Configuration:
3 master(cp,etcd), 3 worker

Kubernetes Version: v1.24.9

Hi,
I want to use PIDs cgroup limit. I tried these solutions. But it is not solved.

Firstly, I added Cluster.yaml like below.

kubelet-arg:
  - "pod-max-pids=2048" 

After restart, I observed this params the result of this command - ps aux | grep kubelet | grep pids -
but this solution is deprecated.

And then, I edited these lines containerd.toml.tmpl file like below. After restart, my problem is not solved.

[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
  SystemdCgroup = true
  [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
    pids_limit = 2048

And then, I edited Cluster.yaml to use KubeletConfiguration again as defining below article: After restart, my problem is not solved.
https://www.suse.com/support/kb/doc/?id=000021322

kubelet-arg:
  - "--config=/etc/kubernetes/kubeletconfig.yml"

in /etc/kubernetes/kubeletconfig.yml

apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
podPidsLimit: 2048

After restart, I observed this params the result of this command - ps aux | grep kubelet | grep config -
but this solution is deprecated.

And laslty, I edited Cluster.yaml again and I added this params - kube-reserved=pid=2048
After reconciling, I observed this param but this is not solved.

I tried these solutions one by one. And after changes, I run in a container this command - cat /sys/fs/cgroup/pids/pids.max
None of the solutions worked.
How to limit pids in a container?
How to use PIDs cgroup limit?

[brandond]

You appear to be using RKE docs. Rke2 does not use cluster.yaml or any paths under /etc/kubernetes. Please reference the rke2 docs at https://docs.rke2.io and try again.

After restart, I observed this params the result of this command - ps aux | grep kubelet | grep config - but this solution is deprecated.

What about this is deprecated?

[ertanci]

Brandon, thanks for reply.

ps aux | grep kubelet | grep config this is not deprecated.
It is my copy mistake. Sorry for that. I observed this param but limitation of pids in container was not observed.

When I said cluster.yaml, I meant the yaml file that is the kind of Cluster in the cluster management menu in the rancher interface. I am attaching a screenshot. I know that if I change this configuration using gui, it will be changed the config file - /etc/rancher/rke2/config.yaml.d/50-rancher.yaml

Also I had tried changing LimitNPROC param in the systemd file(/usr/local/lib/systemd/system/rke2-agent.service).
But it was not worked.

Actually, according to the suse document ( https://www.suse.com/support/kb/doc/?id=000021322 );
I also tried the KubeletConfiguration solution suggested for rke2 but it did not work.

Thanks again for reply, Let me continue my research at https://docs.rke2.io/

[brandond]

I would probably recommend with just using

kubelet-arg:
  - "--pod-max-pids=2048"

Kubelet args are deprecated by upstream, but they are still very much supported. Rancher doesn't have any way to manage creating a kubelet config file on the node, so passing the path to one via kubelet args in the rancher UI is not recommended.