Ivan Sim ihcsim

Changing RKE2 etcd storage size:

echo 'etcd-arg: "quota-backend-bytes=4294967296"' > /etc/rancher/rke2/config.yaml.d/etcd.yaml

Reset RKE2 on Harvester

The rke2 server --cluster-reset command can be used to reset etcd to a single-node cluster, with its data intact.

Stop the RKE2 server:

sudo systemctl stop rke2-server

	---
	apiVersion: apiextensions.k8s.io/v1
	kind: CustomResourceDefinition
	metadata:
	annotations:
	name: vnodes.virt.dev
	spec:
	group: virt.dev
	names:
	kind: VNode

	package cel

	const (
	// PerCallLimit specify the actual cost limit per CEL validation call
	// current PerCallLimit gives roughly 0.1 second for each expression validation call
	PerCallLimit = 1000000

	// RuntimeCELCostBudget is the overall cost budget for runtime CEL validation cost per ValidatingAdmissionPolicyBinding or CustomResource
	// current RuntimeCELCostBudget gives roughly 1 seconds for the validation
	RuntimeCELCostBudget = 10000000

	// Evaluate runs a compiled CEL admission plugin expression using the provided activation and CEL
	// runtime cost budget.
	func (a *evaluationActivation) Evaluate(ctx context.Context, compositionCtx CompositionContext, compilationResult CompilationResult, remainingBudget int64) (EvaluationResult, int64, error) {
	// ...
	t1 := time.Now()
	evalResult, evalDetails, err := compilationResult.Program.ContextEval(ctx, a)
	// budget may be spent due to lazy evaluation of composited variables
	if compositionCtx != nil {
	compositionCost := compositionCtx.GetAndResetCost()
	if compositionCost > remainingBudget {

	// ForInput evaluates the compiled CEL expressions converting them into CELEvaluations
	// errors per evaluation are returned on the Evaluation object
	// runtimeCELCostBudget was added for testing purpose only. Callers should always use const RuntimeCELCostBudget from k8s.io/apiserver/pkg/apis/cel/config.go as input.
	func (c condition) ForInput(ctx context.Context, versionedAttr admission.VersionedAttributes, request admissionv1.AdmissionRequest, inputs OptionalVariableBindings, namespace v1.Namespace, runtimeCELCostBudget int64) ([]EvaluationResult, int64, error) {
	// ...
	remainingBudget := runtimeCELCostBudget
	for i, compilationResult := range c.compilationResults {
	evaluations[i], remainingBudget, err = activation.Evaluate(ctx, compositionCtx, compilationResult, remainingBudget)
	if err != nil {
	return nil, -1, err

	func (v validator) Validate(ctx context.Context, matchedResource schema.GroupVersionResource, versionedAttr admission.VersionedAttributes, versionedParams runtime.Object, namespace *corev1.Namespace, runtimeCELCostBudget int64, authz authorizer.Authorizer) ValidateResult {
	// ...
	evalResults, remainingBudget, err := v.validationFilter.ForInput(ctx, versionedAttr, admissionRequest, optionalVars, ns, runtimeCELCostBudget)
	if err != nil {
	return ValidateResult{
	Decisions: []PolicyDecision{
	{
	Action: policyDecisionActionForError(f),
	Evaluation: EvalError,
	Message: err.Error(),

	// Dispatch implements generic.Dispatcher.
	func (c *dispatcher) Dispatch(ctx context.Context, a admission.Attributes, o admission.ObjectInterfaces, hooks []PolicyHook) error {
	// ...
	validationResults = append(validationResults,
	hook.Evaluator.Validate(
	ctx,
	matchResource,
	versionedAttr,
	p,
	namespace,

	// Plugin is an implementation of admission.Interface.
	type Policy = v1.ValidatingAdmissionPolicy
	type PolicyBinding = v1.ValidatingAdmissionPolicyBinding
	type PolicyEvaluator = Validator
	type PolicyHook = generic.PolicyHook[Policy, PolicyBinding, PolicyEvaluator]

	// Validate makes an admission decision based on the request attributes.
	func (a *Plugin) Validate(ctx context.Context, attr admission.Attributes, o admission.ObjectInterfaces) error {
	return a.Plugin.Dispatch(ctx, attr, o)
	}