Installation

Installation of RKE2 Control Plane

Configuration

Security

Ensure protect-kernel-defaults is set.
Validate system configuration against the CIS-1.6 profile.

Config Values

protect-kernel-defaults: true
profile: cis-1.6

API TLS Certificate

Add additional hostnames or IPv4/IPv6 addresses as Subject Alternative Names on the server TLS cert.

Config Values

tls-san:
- api.infra.tegridy.io
- 10.10.100.101
- 10.10.100.102
- 10.10.100.103
- cp-aik4b
- cp-doo5i
- cp-koeb3
- 127.0.0.1

Disable Builtin Addons

Installing the control plane nodes we only use the absolute minimum of the available components of RKE2.

Disable network plugin
Disable builtin cloud-controller
Disable Kube proxy
Disable Nginx ingress
Disable CoreDNS
Disable Metrics server

Config Values

cni: none
disable:
- rke2-coredns
- rke2-ingress-nginx
- rke2-metrics-server
disable-cloud-controller: true
disable-kube-proxy: true

Installation

Add etcd system user.

useradd -r -c "etcd user" -s /sbin/nologin -M etcd -U

Create the file /etc/sysctl.d/60-rke2-cis.conf on the control plane node.

vm.panic_on_oom=0
vm.overcommit_memory=1
kernel.panic=10
kernel.panic_on_oops=1

Restart the sysctl service.

systemctl restart systemd-sysctl

Create the file /etc/rancher/rke2/config.yaml on the control plane node.

protect-kernel-defaults: true
profile: cis-1.6
tls-san:
- api.infra.tegridy.io
- 10.10.100.101
- 10.10.100.102
- 10.10.100.103
- cp-aik4b
- cp-doo5i
- cp-koeb3
- 127.0.0.1
cni: none
disable:
- rke2-coredns
- rke2-ingress-nginx
- rke2-metrics-server
disable-cloud-controller: true
disable-kube-proxy: true

Remove public visibility from config file.

chmod go-rwx /etc/rancher/rke2/config.yaml

Install RKE2 with this command.

curl -sfL https://get.rke2.io | sh -

Enable the RKE2 service in systemctl.

systemctl enable rke2-server.service

Start the RKE2 service with systemctl.

systemctl start rke2-server.service

Follow the logs if you’re curious.

journalctl -u rke2-server -f

High Availability

Note

For high availability you need 2 additional control plane nodes, 3 in total. The process is the same as for the first control plane node, except for the following changes.

To register additional nodes you need a token from the first control plane node.

cat /var/lib/rancher/rke2/server/node-token

Export the token as an environment variable.

export RKE2_TOKEN={YOUR_TOKEN}

Create the file /etc/rancher/rke2/config.yaml, as described for the first node, and change these settings

server: https://api.infra.tegridy.io:9345
...
tls-san:
- api.rke2.local
- 10.10.202.12      # ip of current node
- cp-2              # hostname of current node
- 127.0.0.1
...

Install, enable and start RKE2 service as described for the first node.

Check if all nodes are shown Ready

kubectl get nodes

NAME       STATUS   ROLES                       AGE     VERSION
cp-aik4b   Ready    control-plane,etcd,master   5h13m   v1.22.6+k3s1
cp-doo5i   Ready    control-plane,etcd,master   5h13m   v1.22.6+k3s1
cp-koeb3   Ready    control-plane,etcd,master   5h13m   v1.22.6+k3s1